Dutch healthcare software provider Chipsoft, which supplies patient record systems to hospitals and general practitioners across the Netherlands, has confirmed via internal sources that hospital patient data may have been exfiltrated during the ransomware incident first disclosed on 8 April 2026. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has received breach notifications from multiple affected hospitals, with roughly 15 institutions using the impacted HIX365 platform now potentially exposed.

What Happened

Chipsoft suffered a ransomware attack disclosed on 8 April 2026. Initial company statements claimed the intrusion was contained to general practitioner records and that hospital data remained unaffected. As of 15 April, internal sources have reversed that assessment, telling NOS that hospital data exposure cannot be ruled out for institutions running the HIX365 patient portal platform. Patient portal traffic for these hospitals routes through Chipsoft's servers, and threat actors may have intercepted or accessed that data flow during their dwell time. In response, Chipsoft engaged external incident response specialists, took the HIX365 patient sites offline, and instructed hospitals to delete or password-protect any local accounts used by Chipsoft support staff to remotely access hospital environments.

What Was Taken

The exact volume and content of exfiltrated data has not been publicly confirmed, but exposure scope includes patient record traffic flowing between approximately 15 Dutch hospitals and Chipsoft's central infrastructure. Confirmed affected institutions include Franciscus Gasthuis in Rotterdam and Albert Schweitzer Hospital in Dordrecht. The HIX365 platform handles electronic health records, appointment data, and online check-in workflows, meaning any compromised traffic could include personally identifiable information, medical history, diagnostic data, prescription information, and authentication artifacts. General practitioner records were confirmed as accessed in the initial disclosure.

Why It Matters

Healthcare supply chain compromises represent one of the highest-impact threat scenarios in the modern threat landscape. A single software vendor breach can cascade across dozens of independent care providers, exposing the most sensitive class of personal data covered under GDPR Article 9. The Chipsoft incident illustrates the systemic risk concentration created when a small number of vendors hold integration footprints across an entire national healthcare sector. The shifting public narrative, from "GP records only" to "hospital data possibly exposed," also highlights a recurring pattern in incident response where initial scoping underestimates lateral access. Defenders should treat early vendor disclosures as floor estimates, not ceilings.

The Attack Technique

Specific intrusion vectors, ransomware family attribution, and threat actor identity have not been publicly disclosed. The reported pivot from GP-only systems to hospital-linked patient portal infrastructure suggests the attackers either moved laterally between segmented environments or had access to shared backend services that processed traffic for both customer tiers. The mitigation step of instructing hospitals to delete or password-protect Chipsoft support accounts strongly indicates that vendor support credentials, persistent remote access mechanisms, or shared service accounts were either confirmed or suspected as part of the attack chain.

What Organizations Should Do

  1. Inventory all third-party vendor accounts with access to your environment and disable any that are not actively required. Rotate credentials on those that are.
  2. Enforce just-in-time access and MFA for vendor support sessions, replacing standing accounts with brokered, time-limited connections logged in a SIEM.
  3. Segment patient portal infrastructure and any vendor-routed traffic from core EHR systems so that a vendor compromise does not provide direct access to clinical data stores.
  4. Assume the worst on vendor breach disclosures: file precautionary regulator notifications early when vendor scope is uncertain, as multiple Dutch hospitals have done with the AP.
  5. Hunt retroactively for anomalous authentication, data egress, and API traffic patterns associated with HIX365 or other Chipsoft integration points across the disclosed dwell window.
  6. Review and tabletop the contingency for portal outages, since Chipsoft's mitigation has left patients unable to access records or complete online check-ins, creating operational pressure that often degrades security discipline.

Sources: Hospital patient data may have leaked in Chipsoft hack, sources say | NL Times