ChipSoft Says Stolen Patient Data Destroyed After April Ransomware Attack

*TL;DR: ChipSoft, the dominant Dutch medical‑software provider, says the patient data stolen in an early‑April ransomware attack has been destroyed, though the method and any ransom payment are undisclosed.*

Context ChipSoft powers electronic health records for more than 70 % of Dutch hospitals and a sizable share of general practices. On April 7, employees detected abnormal activity and classified it as a “data incident.” Within days the firm confirmed that personal health information had been exfiltrated by the ransomware group known as Embargo, which threatened public release.

Key Facts - The breach forced ChipSoft to take its core applications—Zorgportaal, HiX Mobile, HAS Relay and Zorgplatform—offline as a containment step. - Attackers accessed the network, stole medical records, and demanded a ransom; negotiations were reported, but the company has not confirmed payment. - ChipSoft’s cybersecurity team later announced that the stolen data had been destroyed “in a technically sound manner,” though the exact process was not detailed. - Recovery of on‑premises and SaaS (software‑as‑a‑service) versions of HiX and the patient portal is proceeding, but requires careful validation. - A forensic investigation remains open; the initial entry vector and any exploited vulnerabilities have not been disclosed. ChipSoft is cooperating with Dutch regulator Z‑Cert, the Dutch Data Protection Authority, and Belgium’s Centre for Cyber Security.

What It Means The incident underscores the high value of health‑care data and the willingness of ransomware groups to target large, centralized providers. Even without a confirmed ransom payment, the threat of data publication can compel victims to negotiate. ChipSoft’s claim of data destruction may mitigate regulatory penalties, but the lack of transparency on the method leaves open questions about forensic soundness and future liability.

Mitigations – What Defenders Should Do 1. Patch Management – Verify that all systems running HiX and related modules are updated against known CVEs, especially those affecting remote desktop protocols and web application frameworks. 2. Network Segmentation – Isolate EHR (electronic health record) environments from corporate networks to limit lateral movement. 3. Multi‑Factor Authentication (MFA) – Enforce MFA for all privileged accounts and remote access points. 4. Endpoint Detection and Response (EDR) – Deploy solutions that can detect MITRE ATT&CK techniques such as T1078 (Valid Accounts) and T1486 (Data Encrypted for Impact). 5. Backup Integrity – Maintain immutable, offline backups and regularly test restoration procedures. 6. Incident Playbooks – Update ransomware response plans to include data‑destruction verification steps and coordinated communication with regulators.

What to Watch Next Watch for the forensic report’s findings on the initial compromise vector and any disclosed CVEs, as they will shape patch priorities for health‑care providers worldwide.