ChipSoft Confirms Stolen Patient Data Destroyed After April Ransomware Attack

The attack was first noticed on April 7 by ChipSoft staff, who initially labeled it a data incident. A week later the firm confirmed that medical personal information had been exfiltrated. As a precaution, ChipSoft took its Zorgportaal, HiX Mobile, HAS Relay, and Zorgplatform services offline.

The ransomware group Embargo claimed responsibility and threatened to publish the stolen data. ChipSoft has neither denied nor confirmed paying a ransom to prevent disclosure, a move discouraged by Dutch authorities but not illegal. The company stressed that protecting customer data remained its top priority during the incident.

ChipSoft holds over 70% market share of EHR software in Dutch hospitals, affecting HiX on‑premises, HiX SaaS, and the SaaS patient portal hosted via ChipSoft. Healthcare institutions that run the software themselves or via third‑party managers were not impacted, according to the firm.

ChipSoft says the stolen data has been destroyed in what it describes as a “technically sound manner,” without detailing the method. The firm has not revealed whether any payment was made to the attackers.

Recovery is proceeding smoothly, ChipSoft reports, but requires care and time. The forensic investigation into the initial access vector is still ongoing, and the company is coordinating with Z‑Cert, the Dutch Data Protection Authority, and the Centre for Cyber Security Belgium.

With over 70% of Dutch hospitals relying on ChipSoft’s EHR platform, any disruption risks delays in patient care and administrative workflows. The confirmed destruction of stolen data reduces the likelihood of public leakage, but the lack of transparency around ransom payment leaves uncertainty about whether attackers received funds that could finance future operations.

Defenders should review and harden remote access controls, enforce multi‑factor authentication, and ensure timely patching of known vulnerabilities exploited by ransomware groups such as Embargo. Monitoring for MITRE ATT&CK techniques T1078 (Valid Accounts), T1566.001 (Spearphishing Attachment), and T1486 (Data Encrypted for Impact) can help detect similar intrusions. Maintaining offline, immutable backups and testing restoration procedures regularly are critical to limit reliance on ransom payments.

ChipSoft’s ongoing cooperation with national CERTs and data protection authorities may yield further indicators of compromise; organizations using its products should watch for any advisories issued by Z‑Cert or the Dutch DPA regarding IOCs or recommended configuration changes.

What to watch next: any official statement from ChipSoft on ransom payment details, updates from the forensic investigation, and potential guidance from Dutch authorities on ransomware response for healthcare providers.