← CIO Briefings · High Impact ACTION REQUIRED

Ransomware Attack on ChipSoft Disrupts Patient Records Across 80% of Dutch Hospitals

A ransomware attack on ChipSoft, the vendor behind the HiX electronic patient record system used by approximately 80% of Dutch hospitals, has forced eleven hospitals offline and into emergency paper procedures. Patient data has potentially been accessed. The incident is a landmark illustration of healthcare supply chain concentration risk and the cascading consequences of a single vendor compromise.

4 min read
#GDPR#NIS2

What Happened

On 7 April 2026, ChipSoft — the Dutch healthcare IT company whose HiX system is the dominant electronic patient record (EPR) platform in the Netherlands — was struck by a ransomware attack. By 8 April, eleven hospitals had disconnected from ChipSoft infrastructure and activated emergency paper-based procedures. ChipSoft has confirmed a “data incident” with possible unauthorised access to patient health records.

Z-CERT, the Dutch national cybersecurity authority for healthcare, has advised all healthcare institutions with VPN connections to ChipSoft to disconnect immediately and monitor their internal networks for signs of compromise.

Business Impact

The operational consequences of this attack flow in two directions: immediate disruption and potential long-term liability.

Immediate disruption: Eleven hospitals operating without electronic patient records, medication management, imaging integration, and clinical scheduling systems. Clinical staff are reverting to paper-based workflows — slower, error-prone, and resource-intensive. Elective procedures, pharmacy functions, and outpatient services are degraded. The cascading effect is a sector-wide resilience test affecting millions of Dutch patients who rely on these institutions.

Financial and legal exposure: ChipSoft faces significant liability under Dutch law, the GDPR, and potentially NIS2 if it is determined to be an essential entity under that directive’s scope. The potential breach of special category health data for patients across dozens of hospitals creates notification obligations and potential regulatory fines (up to 4% of global annual turnover under GDPR). Individual hospitals connected to ChipSoft may also face their own GDPR notification obligations if patient data stored on ChipSoft systems has been accessed.

Vendor concentration risk: This incident is a systemic warning. A single vendor holds approximately 80% of the Dutch hospital EPR market. There is no practical competitor that hospitals could switch to on short notice. The concentration that made HiX commercially successful has become a liability at the national level.

Regulatory Implications

GDPR (Article 33 — Breach Notification): Data controllers (hospitals) must notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of identifying a breach involving personal data. ChipSoft’s confirmation of a “data incident with possible unauthorised access” triggers this obligation. The clock is running.

GDPR (Article 28 — Data Processors): Hospitals using ChipSoft as a data processor must review their data processing agreements with ChipSoft and assess whether ChipSoft’s security obligations have been met. Hospitals are accountable to their patients as data controllers regardless of where the security failure occurred.

NIS2 (Directive 2022/2555): Healthcare entities classified as essential under NIS2 must notify national authorities of significant incidents. Hospitals and potentially ChipSoft itself may have notification obligations to Dutch health regulators and ENISA under NIS2’s incident reporting requirements.

Board-Ready Summary

  • ChipSoft, used by ~80% of Dutch hospitals, has been hit by ransomware. Patient records may have been accessed. Eleven hospitals are running on paper.
  • This is a supply chain attack — the direct victim is the technology vendor, not the hospitals themselves, but the impact propagates to every connected organisation.
  • Regulatory clocks are running. Dutch hospitals connected to ChipSoft have a 72-hour window to assess and notify data protection authorities under GDPR. Legal counsel should be engaged now.

If your organisation uses ChipSoft or HiX:

  1. Disconnect VPN connections to ChipSoft infrastructure per Z-CERT guidance
  2. Activate your EPR downtime procedures and brief clinical staff
  3. Engage your Data Protection Officer to assess GDPR Article 33 notification obligations
  4. Review your data processing agreement with ChipSoft and document your compliance assessment
  5. Audit your own network logs for any unusual activity originating from ChipSoft network ranges

If you are a healthcare organisation reviewing supply chain risk:

  1. Map all third-party clinical IT vendors with access to patient data or clinical networks
  2. Assess what your operations would look like if your EPR vendor were unavailable for two to four weeks
  3. Review vendor security requirements in your contracts against current baseline standards (ENISA, NEN 7510 in the Netherlands)
  4. Ensure your cyber insurance policy covers business interruption arising from third-party vendor incidents