ChipSoft Ransomware: 80% of Dutch Hospitals Share One Vendor

Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major technology and security news organizations.

On April 7, Z-CERT — the Netherlands’ healthcare cybersecurity emergency response team — received notification that ChipSoft had been hit by ransomware. ChipSoft is the company behind HiX, the electronic health record platform that runs patient records at roughly 80% of Dutch hospitals. The attack also affected several Belgian hospitals that use the same software. As of this writing, no ransomware group has claimed responsibility — which is unusual. Most operators surface quickly to begin extortion negotiations. Silence five days in is a different kind of signal.

What Happened

ChipSoft disabled three customer-facing services as a precaution: Zorgportaal (the patient portal), HiX Mobile (the clinician mobile app), and Zorgplatform (the inter-hospital data exchange layer). The company’s website went offline the same day. In an internal notice to healthcare customers, ChipSoft acknowledged “possible unauthorized access” and said it “could not rule out that patient data may have been accessed or stolen.”

Z-CERT’s advice to hospitals was immediate and specific: cut your VPN connections to ChipSoft and audit traffic logs for anything unusual. Eleven hospitals in the Netherlands followed that guidance and disconnected their systems entirely. At least nine of those were hospitals that had integrated more deeply with ChipSoft’s platform than average — Sint Jans Gasthuis in Weert, Laurentius in Roermond, VieCuri in Venlo, Flevo Hospital in Almere, and several others. In Belgium, Hospital aan de Stroom in Antwerp, Hospital Oost-Limburg, and Delta Hospital in Roeselare took similar steps.

Most hospitals did not disconnect. Z-CERT reported that the disruption produced “mostly logistical problems rather than critical medical issues” — increased call volumes, extra support staff, no halted surgeries. Wim Hafkamp, Z-CERT’s director, framed the stakes plainly: “Digital outage is not an abstract IT problem. It concerns people who need care.”

Leiden University Medical Center, one of the country’s largest, stated there were “no indications” its data had leaked — but acknowledged that ChipSoft itself cannot definitively rule out a breach given HiX’s footprint.

The Concentration Risk

The operational story is contained. The structural story is not.

Dutch hospitals, collectively, bet their patient records on a single vendor. That bet produced real benefits — standardized data models, interoperable referrals, consistent clinician training, a manageable vendor relationship. It also produced a single point of failure that cannot be engineered around without dismantling the very thing that made the market efficient.

This is not a Dutch problem. Epic holds a comparable position in major US academic medical centers. Cerner (now Oracle Health) holds a comparable position across the VA system. The economic gravity of EHR consolidation is real: every hospital faces pressure to pick the vendor its referral partners use, and over time that pressure funnels market share toward a single dominant platform. Regulators don’t stop it because integration is a clinical good. Procurement teams don’t stop it because switching costs are catastrophic. CIOs don’t stop it because the alternative is running a bespoke system nobody else speaks.

What happens when the inevitable compromise arrives is what we’re watching in real time. Eleven hospitals pulled the plug and reverted to whatever downtime procedures they had prepared. The other 60+ kept running because ChipSoft’s segmentation held — for now. The question every Dutch hospital IT leader is asking this weekend is whether their downtime procedures are any good, and whether they were actually practiced in the last twelve months, or just written down.

The Broader Healthcare Pattern

The FBI’s 2025 Internet Crime Report, released earlier this week, named healthcare and public health the top sector for ransomware and cyber incidents — 460 ransomware attacks and 182 data breaches, for 642 cyber events in a single year in the US alone. The Dutch incident sits inside that pattern, not outside it.

It also sits inside a regional pattern. In 2025, Clinical Diagnostics — a Eurofins subsidiary — was hit by the Nova ransomware group, compromising nearly a million patient records including diagnostic results. In January 2026, AZ Monica, a Belgian hospital network, took a direct hit. A ChipSoft compromise in April 2026 isn’t a surprise; it’s the continuation of a multi-year campaign against European healthcare infrastructure.

What This Means for IT Leaders

A few things worth thinking about today, whether you run a US hospital, a European one, or a multi-site group anywhere else:

If a primary EHR vendor went dark tomorrow, what is your actual downtime plan? Not the PDF on a shared drive. The one your staff has rehearsed this year.
What VPN and API connections do you have into your EHR vendor that you could sever in 15 minutes? Z-CERT’s first instruction was “cut the VPN.” That’s only possible if someone already knows which VPN.
What’s your notification path if the vendor tells you “possible unauthorized access” but can’t confirm scope? The vague middle ground is where most ransomware disclosures actually live.
Are your referral partners on the same platform? Because the second-order blast radius of a regional EHR outage is your own care coordination, not just your records.

The Dutch situation will resolve — either with a ransom quietly paid, a decryption key recovered, or a painful multi-week rebuild. What it won’t resolve is the structural question that made it consequential in the first place. A country whose healthcare data lives in one vendor’s systems is a country whose healthcare data lives one phishing email away from offline.

What Happened

The Concentration Risk

The Broader Healthcare Pattern

What This Means for IT Leaders

Sources

Security Scorecard