A ransomware attack on ChipSoft, the Dutch healthcare software company whose HiX electronic health record platform underpins roughly 80% of the Netherlands’ hospital infrastructure, has escalated into a potential mass patient data breach. As of April 15, sources confirm that patient data—including names, national identification numbers, diagnoses, treatment histories, and insurance details—may have been exfiltrated during the incident.

Timeline

The attack was first detected on April 7, 2026, when ChipSoft’s public-facing website went offline. Z-CERT, the Netherlands’ Computer Emergency Response Team for healthcare, confirmed the ransomware incident the same day and began coordinating the national response.

By April 8, eleven Dutch hospitals had disconnected from ChipSoft systems entirely, with nine of those relying heavily on the HiX platform for day-to-day operations. ChipSoft disabled its Zorgportaal patient portal, HiX Mobile application, and Zorgplatform integration connections as containment measures.

On April 15, Dutch public broadcaster NOS reported that hospital patient data may have been stolen during the attack. ChipSoft acknowledged “possible unauthorized access” and stated it “cannot rule out that patient data has been accessed or stolen.”

What’s Affected

ChipSoft’s flagship product, HiX, is the dominant EHR system in the Netherlands. The platform manages patient records, clinical workflows, lab results, medication administration, and scheduling across the majority of Dutch hospitals. The cloud-hosted variant, HIX365, is particularly concerning—hospitals using this deployment model route patient data through ChipSoft-managed infrastructure, meaning a compromise of ChipSoft’s environment could expose records at scale.

The scope of potentially affected data includes:

  • Patient names and national identification numbers (BSN)
  • Diagnoses and treatment histories
  • Lab results and medication records
  • Insurance details
  • Appointment and scheduling data

With HiX deployed across approximately 70–80% of Dutch hospitals, the potential breach surface covers millions of patient records.

Response

Z-CERT issued guidance directing all affected hospitals to immediately sever VPN connections to ChipSoft and audit their network traffic logs for anomalous activity. ChipSoft brought in external security consultants and implemented emergency measures including:

  • Taking all HIX365 patient-facing sites offline
  • Instructing hospitals to delete or password-rotate all ChipSoft support accounts with access to hospital environments
  • Disabling remote access pathways used for vendor support

Hospitals with on-premises HiX deployments that maintained isolated network segments were less affected, as the attack vector appears to have targeted ChipSoft’s centralized infrastructure rather than individual hospital networks.

No Attribution Yet

As of April 15, no ransomware group has publicly claimed responsibility for the attack. This is unusual—most ransomware operators post victims to their leak sites within days to accelerate extortion negotiations. The silence could indicate ongoing negotiations, a state-sponsored actor with different motives, or an operator deliberately avoiding attention given the sensitivity of healthcare data.

What to Do

If your organization integrates with ChipSoft systems:

  1. Sever VPN connections to ChipSoft infrastructure immediately if you haven’t already, per Z-CERT guidance.
  2. Audit logs for any ChipSoft support account activity in the past 30 days. Look for unusual login times, bulk data access, or lateral movement.
  3. Rotate all credentials associated with ChipSoft integration points, including API keys, service accounts, and any shared credentials.
  4. Monitor for data exposure on ransomware leak sites and paste sites. If your hospital used HIX365, assume patient data may be compromised until proven otherwise.
  5. Notify your DPO and begin GDPR breach assessment procedures. The 72-hour notification window under Article 33 applies if personal data exposure is confirmed.

The Bigger Picture

This incident is a textbook example of healthcare supply chain concentration risk. When a single vendor controls the EHR infrastructure for 80% of a country’s hospitals, a compromise of that vendor doesn’t just affect one organization—it threatens the entire national healthcare system. The Dutch healthcare sector is now contending with the reality that vendor consolidation, while operationally efficient, creates catastrophic single points of failure.

The fact that no group has claimed the attack eight days later makes this one worth watching closely.

Sources: