What Romania’s Hospital Cyber Attack Teaches Us About Operational Resilience

Cyber attacks can create immediate operational disruption, particularly when critical services depend on connected systems and third-party technology providers. This article looks at what organisations can learn from the Romanian hospital cyber attack, including the importance of business continuity planning.

In February 2024, more than 100 hospitals across Romania were forced to disconnect from the internet following a large-scale ransomware attack that spread through a widely used healthcare management platform. The incident has since become an international case study in cyber incident response, business continuity and operational resilience.

The attack targeted a medical software system known as Hippocrates, which is used across Romanian hospitals to manage patient records, laboratory requests, pharmacy services, payroll functions and administrative processes. Once attackers gained access to the software provider’s environment, they deployed ransomware known as BackMyData, encrypting files and demanding payment in cryptocurrency.

As reports of disruption began to emerge, Romania’s National Cyber Security Directorate made the difficult decision to instruct more than 100 hospitals to disconnect from the internet immediately. While this action significantly disrupted operations, it helped prevent the ransomware from spreading further and provided valuable time for investigators to assess the scale of the incident.

Healthcare: An Increasingly Attractive Target

Healthcare organisations have become prime targets for cyber criminals because of the critical nature of their services and the sensitivity of the data they hold. Unlike many other sectors, healthcare providers cannot simply suspend operations while systems are restored. Patient care must continue, even when technology is unavailable.

This creates significant pressure on organisations to restore services quickly, making the sector attractive to ransomware groups seeking financial gain.

The Romanian incident also demonstrates how a compromise affecting a single software supplier can rapidly impact multiple organisations through trusted third-party relationships. This type of attack, commonly referred to as a supply chain attack, highlights the importance of understanding and managing third-party cyber risk.

Returning to Pen and Paper

Following the disconnection of affected systems, healthcare staff were required to revert to manual processes to maintain patient care.

Doctors and nurses recorded patient information on paper, laboratories provided printed test results, and hospitals developed temporary offline procedures to continue delivering essential services. While these measures were far from ideal, they enabled medical teams to continue operating during the crisis.

The incident serves as a reminder that business continuity planning should not rely solely on technology. Organisations must understand how critical activities can continue when digital systems become unavailable.

For many healthcare workers, the ability to switch to manual processes helped reduce disruption to patient treatment and maintain essential services during a difficult period.

The Importance of Backups and Recovery Planning

One of the key factors contributing to the recovery was the availability of backups.

Many affected hospitals were able to restore systems from recent backup copies, reducing recovery times and limiting data loss. Within days, most hospitals had returned to near-normal operations.

Regular backup testing remains one of the most effective defences against ransomware. However, organisations should not simply assume backups will work when required. Recovery procedures should be tested regularly to confirm that data can be restored quickly, securely and in the right order during a cyber incident.

This is particularly important where multiple systems, suppliers or departments are involved. The ability to recover individual files is useful, but organisations also need to understand how systems depend on each other and what must be prioritised to restore critical services.

Effective Communication During a Crisis

Another notable aspect of the Romanian response was the emphasis placed on communication.

The National Cyber Security Directorate provided regular updates to healthcare providers, the media and the public throughout the incident. Clear messaging helped manage expectations, reduce confusion and discourage hospitals from engaging directly with the attackers.

Public communication also encouraged patients to avoid attending hospitals unless necessary, helping to reduce pressure on healthcare facilities already operating under difficult conditions.

Cyber incidents are not solely technical challenges. Effective stakeholder communication is often critical to maintaining trust, reducing uncertainty and supporting operational decision-making during a crisis.

Key Lessons for Organisations

Although this incident occurred within the healthcare sector, the lessons apply across all industries.

Organisations should consider whether they have sufficient visibility of cyber risks associated with third-party suppliers, particularly those that support critical operations. Supplier risk should not be assessed only at onboarding. It should be monitored throughout the relationship, with clear expectations around security, incident reporting, recovery arrangements and service continuity.

Organisations should also maintain and regularly test offline backups. Backup processes should be documented, protected from compromise and tested under realistic conditions so that teams understand what can be restored, how quickly and in what order.

Business continuity plans should account for prolonged system outages. This includes understanding how critical activities would continue if key systems, suppliers or communication channels became unavailable. Where manual workarounds are needed, staff should be trained and processes should be tested before a live incident occurs.

Clear cyber incident response procedures are also essential. Organisations need defined decision-making frameworks, escalation routes, roles and responsibilities so that teams can act quickly under pressure.

Communication plans should be in place for employees, customers, suppliers, regulators and other stakeholders. These plans should be practical, tested and aligned with the organisation’s wider incident response and business continuity arrangements.

How AJC Can Help

At AJC, we help organisations strengthen their approach to cyber security, business continuity and operational resilience.

Our team can support organisations with cyber incident response planning, business continuity reviews, third-party risk assessment and desktop scenario exercises. These activities help organisations understand how they would respond to a disruptive cyber incident, where critical dependencies exist, and whether existing plans are practical enough to work under pressure.

We can also help organisations test their recovery arrangements, review communication processes and identify gaps in policies, procedures and governance. By taking a practical, risk-based approach, AJC supports organisations in improving resilience before an incident occurs, rather than waiting until disruption exposes weaknesses.

Conclusion

The Romanian hospital cyber attack demonstrates that cyber resilience is not solely about preventing attacks. Organisations must also be prepared to continue operating when prevention measures fail.

By rapidly isolating affected systems, implementing manual workarounds, restoring data from backups and maintaining clear communication throughout the crisis, Romanian healthcare providers were able to minimise the impact on patient care and recover relatively quickly.

As cyber threats continue to evolve, organisations across all sectors should view this incident as a reminder that resilience, preparedness and recovery capabilities are just as important as preventative security controls.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

BBC News (2026). How 100 hospitals switched to pen and paper to defeat a national cyber-attack. Available at: https://www.bbc.co.uk/news/articles/c4gyk756mzlo (Accessed: 26 June 2026).

National Cyber Security Centre (NCSC) (2024). Mitigating malware and ransomware attacks. Available at: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks (Accessed: 26 June 2026).

National Cyber Security Centre (NCSC) (2024). Exercise in a Box. Available at: https://www.ncsc.gov.uk/information/exercise-in-a-box (Accessed: 26 June 2026).

Cybersecurity and Infrastructure Security Agency (CISA) (2024). Stop Ransomware Guide. Available at: https://www.cisa.gov/stopransomware (Accessed: 26 June 2026).

National Institute of Standards and Technology (NIST) (2024). Cybersecurity Framework (CSF) 2.0. Available at: https://www.nist.gov/cyberframework (Accessed: 26 June 2026).

Image accreditation: Coltea Clinical Hospital, Bucharest, Romania (April 2024) fromWiki Media Commons. Last accessed on 29 June 2026. Available at: https://commons.wikimedia.org/wiki/File:Bucharest_-_Col%C8%9Bea_Hospital.jpg