Romanian Hospitals Cut Off Internet, Switched to Paper to Halt Ransomware Attack

Tue Jun 23 2026 04:57:55 GMT+0000 (Coordinated Universal Time)

When a ransomware attack hit 100 Romanian hospitals in February 2024, medical teams recovered by logging patient care on paper while security experts cut off the ransomware.

In February 2024 a ransomware strain called BackMyData spread through the Hippocrates hospital management system and immobilised more than a hundred hospitals across Romania. The national cyber‑security centre ordered all hospitals to disconnect from the internet, quashing the attackers’ communications and giving IT teams time to investigate. With electronic records gone, doctors and nurses adopted manual registration and paper logbooks to keep treating patients. While the cyber‑security team coordinated the response and restored systems from backup, the medical community devised offline work‑arounds to protect patients. Although the outage cost weeks of data migration, no deaths were recorded and most hospitals were back online within five days.

Hospitals in Romania found themselves without a computer network when a ransomware strain called BackMyData broke out across the country’s major patient‑record system, Hippocrates, in February 2024. The attackers went on to scramble files across 26 hospitals before the national cyber‑security centre sent an emergency order to suspend internet connections at more than a hundred hospitals to keep the hackers from spreading further.

With servers offline, doctors and nurses had to abandon their standard digital records. Instead of the usual electronic charting, they began noting patient details on pens and paper, setting up makeshift paper logbooks, and requesting lab and radiology results on sheet instead of in the system. These work‑arounds were vital to prevent treatment delays while IT teams worked tirelessly to purge the infection and restore the networks.

The decision to cut the hospitals away from the internet may have kept the malware from encrypting vital data, but it also meant that no emails, no web browsers, no devices were available. Yet the hospitals managed to keep providing care, and a handful of staff reported that their patients remained safe because treatment was not postponed.

Investigations revealed that 26 hospitals were infected by the BackMyData ransomware, which demanded a payment of €160,000 in bitcoin. Romanian authorities chose not to comply with the ransom demand and instead focused on cleaning up the systems and restoring data from recent backups.

Once the infection was removed, the hospitals were reconnected to the network three to five days after the outbreak began, with additional security measures patched in to prevent recurrence. Only one handful of patients were affected by the delay, and no mortality has been reported. Most hospital data were recovered thanks to recent backup protocols, underscoring the importance of regular, off‑site data backups.

The March‑5 incident could happen to any nation that relies on digital hospital management systems. Experts note “the more digital you are, the greater your exposure,” and the incident has prompted calls for better protective measures across European health systems. Similar ransomware attacks have already cost hospitals in London and the United States, with one resulting in a patient death and another costing millions of dollars in ransom payments.