Dutch electronic health record (EHR) vendor Chipsoft has been hit by a ransomware attack, triggering a data incident that ripples across multiple hospitals in the Netherlands. Spijkenisse Medisch Centrum confirmed on April 8, 2026 that the compromise of its EPD supplier forced the hospital to escalate internally and implement immediate containment measures to protect patient data.

What Happened

Chipsoft, the supplier of the electronic patient record (elektronisch patiëntendossier, or EPD) used by Spijkenisse Medisch Centrum and other Dutch hospitals, was struck by a ransomware attack. The incident was disclosed by affected hospitals, with Spijkenisse MC confirming internal escalation and protective measures. A parallel notice from ChipSoft addresses direct consequences for patients, indicating that personal health data handled through the EPD platform is implicated. Because Chipsoft's HiX EPD platform is the dominant hospital records system in the Netherlands, the blast radius extends well beyond a single facility.

What Was Taken

Public statements from Spijkenisse MC and ChipSoft frame this as a "data incident," consistent with data exposure associated with ransomware double-extortion. While the precise volume and record count have not been disclosed, the affected environment supports core hospital EPD functions, meaning the exposed data categories likely include:

Given the sensitivity of Dutch EPD data under the AVG/GDPR and healthcare-specific regimes, any exfiltration of these categories represents a high-severity exposure.

Why It Matters

Chipsoft is a concentration point for Dutch healthcare IT. A successful intrusion at this supplier affects many hospitals simultaneously, giving a single attacker leverage over an entire national sector. For defenders, this incident reinforces the reality that healthcare supply-chain compromises are among the most consequential attack paths: a vendor breach becomes a country-scale patient data breach. Expect regulatory scrutiny from the Autoriteit Persoonsgegevens, follow-on phishing targeting affected patients, and ongoing disclosures as additional hospitals assess their exposure.

The Attack Technique

The incident has been attributed to ransomware, but the specific threat actor, initial access vector, and malware family have not been publicly disclosed at time of writing. Ransomware operators targeting healthcare SaaS and EHR vendors in prior campaigns have frequently leveraged exploitation of internet-facing appliances (VPN, file transfer, identity platforms), valid account abuse via infostealer credentials, and phishing-led deployment of loaders such as SocGholish or IcedID before handoff to affiliates like BlackCat, LockBit successors, or emerging Dutch-targeting crews. Attribution should be considered provisional until Chipsoft or Dutch authorities publish IOCs.

What Organizations Should Do

  1. Healthcare providers using Chipsoft HiX or related EPD services should request written scope-of-impact statements from the vendor, including whether their tenant data was accessed or exfiltrated.
  2. Rotate credentials, API keys, and integration secrets shared with Chipsoft services, and review federated identity trust paths into hospital environments.
  3. Hunt for anomalous access from vendor IP ranges and Chipsoft service accounts in SIEM and identity logs covering the past 90 days.
  4. Brief patient-facing staff on likely follow-on phishing and social engineering referencing the incident; prepare scripted responses.
  5. Coordinate with Z-CERT and the Autoriteit Persoonsgegevens on breach notification obligations if patient data is confirmed affected.
  6. Review and exercise EPD downtime procedures, including paper fallback workflows, so clinical operations can continue if Chipsoft services degrade further.

Sources: Data-incident leverancier elektronisch patiëntendossier | Ziekenhuizen