Dutch DPA Logs 66 Breach Reports After Chipsoft Ransomware Steals Patient Data

**TL;DR** A ransomware attack on Chipsoft’s cloud-hosted HiX 365 platform led to the theft of patient treatment data and triggered 66 breach reports filed with the Dutch Data Protection Authority. Affected providers include family doctors, rehabilitation clinics and the Rotterdam Eye Hospital.

## Context Chipsoft confirmed last week that attackers gained unauthorized access to its HiX 365 service, exfiltrated medical information and deployed ransomware. The company initially told clients that personal data was “probably” safe, but later acknowledged the breach after forensic analysis confirmed data loss. The incident impacted organizations that rely on Chipsoft’s cloud offering; those running the software on their own servers were not affected. The stolen data concerns treatment details, though it has not appeared on dark‑web markets according to Dutch press.

## Key Facts The Dutch Data Protection Authority (DPA) has logged 66 breach notifications tied to the Chipsoft incident, one of which came from Chipsoft itself. The family doctors’ association LHV noted that dozens of practices use the HiX 365 system, with the largest concentration in North Limburg. Chipsoft CEO Hans Mulder said, “We are doing everything we can to support the affected customers as best as possible.” The Dutch Patients’ Federation added, “Patients need to know where they stand, especially when it involves sensitive medical data.” No ransom payment or negotiation details have been disclosed, and the attackers have not yet leaked the stolen information.

## What It Means The volume of reports signals widespread concern among healthcare providers about data confidentiality and regulatory compliance under GDPR. Patients treated at the affected facilities may face uncertainty about how their health information is used or exposed, potentially affecting trust in digital health services. For Chipsoft, the breach raises questions about the security posture of its cloud platform and its incident‑response communications, especially the initial “probably safe” statement. Regulators may scrutinize the company’s adherence to GDPR breach‑notification timelines and its duty to inform data subjects promptly, which could lead to fines or enforcement actions.

## Mitigations (What Defenders Should Do) - Enforce multi‑factor authentication for all privileged accounts accessing cloud‑hosted medical applications. - Review and tighten identity‑and‑access‑management policies, removing unused service accounts and applying least‑privilege principles. - Monitor login attempts and data‑access patterns for anomalies using SIEM rules aligned with MITRE ATT&CK T1078 (Valid Accounts) and T1041 (Exfiltration Over Command‑and‑Control). - Ensure the HiX 365 platform and any integrated components are patched against known vulnerabilities; subscribe to Chipsoft security advisories and apply updates within vendor‑recommended windows. - Maintain offline, encrypted backups of critical patient data and test restoration procedures quarterly. - Develop and rehearse an incident‑response plan that includes timely breach notification to regulators and affected individuals, as required by GDPR Article 33 and 34.