When the screens went dark across Romanian hospital wards in February 2024, the response that kept patients safe was not a software patch. It was a notebook.
Over a span of days, more than 100 hospitals connected to a widely used Romanian medical platform were pulled offline to contain a ransomware outbreak, according to the country's National Cyber Security Directorate (DNSC) and security researchers. The episode, revisited in recent reporting, has since been held up as a case study in old-fashioned resilience.
What happened
The attack hit the Hipocrate Information System, software used to manage admissions, prescriptions, lab results and other hospital records. Investigators traced the intrusion to ransomware known as BackMyData, a variant of the Phobos family, which BleepingComputer reported was deployed against the platform's servers in mid-February.
Accounts of the exact toll vary slightly. The DNSC and BleepingComputer described around 25 hospitals as having data encrypted, with roughly 75 more taking their systems offline as a precaution — a total of about 100 facilities, including cancer and pediatric centres, according to CPO Magazine. The attackers demanded a ransom of 3.5 bitcoin, worth roughly €157,000 at the time, in exchange for a decryption key. Romanian authorities declined to pay.
Going back to paper
With the central system frozen, the workaround was deliberately analogue. Rather than risk the malware spreading, hospitals severed their internet connections — a move investigators credited with stopping the attack from going further.
Clinical staff then improvised. Doctors devised an offline method to register patients by hand, laboratories returned test results on paper, and teams turned to standalone tools such as spreadsheets to keep care moving. Staff "worked mostly on paper," recording admissions, prescriptions and test recommendations by hand, in a return to pre-digital routine, according to BleepingComputer. The trade-off was real: some information captured only on paper during those days was not later digitised.
Why recovery was fast
The single biggest factor in the recovery, officials said, was backups. The DNSC found that most affected hospitals held copies of their data saved relatively recently — typically one to three days old — with one outlier whose backup was around 12 days old. That allowed most facilities to rebuild their systems within days rather than capitulating to the ransom demand.
The wider warning
Romanian officials framed the incident as a sign of risks that grow alongside digitisation. Security researchers note that healthcare is a recurring target precisely because lives are at stake: the more disruption attackers cause, the more likely victims are to pay. Romania's hospitals, this time, chose a different answer — to write it all down, and to have the backups ready when the systems came back online.



