Dutch Healthcare Giant ChipSoft Claims Stolen Patient Data Destroyed After Ransomware Attack

2026-04-30 data

Netherlands, Thursday, 30 April 2026.
ChipSoft, which controls over 70% of Dutch hospital software systems, announced that patient data stolen in an April 7, 2026 ransomware attack has been destroyed. The Embargo hacking group had threatened to publish 100 gigabytes of sensitive medical records including names, diagnoses, and national ID numbers from affected hospitals and clinics. While ChipSoft’s cybersecurity experts verified the destruction occurred ‘in a technically correct manner,’ the company refuses to confirm whether ransom was paid to the criminals, raising questions about data security in concentrated healthcare infrastructure.

Scale and Scope of the Attack

The ransomware attack discovered on April 7, 2026, exposed the vulnerabilities of concentrated healthcare infrastructure in the Netherlands [1]. ChipSoft operates as the largest provider of electronic health record software in the Netherlands, commanding a market share of over 70 percent among hospitals [1]. The company’s dominance extends beyond hospitals, maintaining a significant presence among general practices as well [1]. The attack specifically targeted ChipSoft’s cloud-hosted systems, affecting applications including Zorgportaal, HiX Mobile, HAS Relay, and Zorgplatform, which the company took offline as a precautionary measure [1].

Immediate Impact Across Healthcare Network

The attack’s reach extended far beyond ChipSoft’s headquarters, impacting multiple healthcare institutions across the Netherlands and Belgium [4]. Eleven hospitals immediately severed their VPN connections in response to the breach, while patient portals ceased functioning [4]. The attack affected family doctors, rehabilitation clinics, and the Rotterdam Eye Hospital, all of which utilized ChipSoft’s cloud-hosted HiX 365 platform [2]. By April 16, 2026, ChipSoft confirmed that medical personal data had been compromised, including names, diagnoses, treatment histories, and national ID numbers [4]. The Dutch Data Protection Authority received 66 separate breach notifications from this single incident, highlighting the interconnected nature of modern healthcare data systems [4].

The Embargo Group’s Threats and Negotiations

The ransomware attack was attributed to the Embargo group, which claimed to have stolen 100 gigabytes of data from ChipSoft [2][3]. The cybercriminal organization threatened to publish the stolen information on the dark web, prompting negotiations between ChipSoft and the attackers [2][3]. ChipSoft acknowledged that discussions with the group had taken place, stating that ‘protecting our customers’ data has always been our top priority. In this exceptional situation, that priority weighed very heavily’ [1]. The threat to publish patient data was subsequently removed, though cybersecurity experts note this could indicate either payment or ongoing negotiations [8].

Verification Claims and Ongoing Questions

On April 29, 2026, ChipSoft announced that its cybersecurity experts had confirmed the destruction of stolen data occurred ‘in a technically correct manner’ [1][2]. However, the company provided no detailed explanation of the verification process or how it could ensure criminals had not retained copies of the sensitive information [2]. ChipSoft has neither confirmed nor denied whether a ransom payment was made to secure the data destruction [1][2]. Cybersecurity expert Jort Kollerie expressed skepticism about the certainty of such claims, noting that ‘you are negotiating with criminals. You cannot make that claim with certainty’ [9]. The forensic investigation into how attackers initially gained access to ChipSoft’s systems remains ongoing, with the company working alongside Z-Cert, the Dutch Data Protection Authority, and the Centre for Cyber Security Belgium [1].

Bronnen

healthcare cybersecurity