Romanian Hospitals Go Paper‑Only After 100‑Hospital Ransomware Lock‑Down

Tue Jun 23 2026 04:44:38 GMT+0000 (Coordinated Universal Time)

When a ransomware worm cut off more than 100 Romanian hospitals, staff fell back on pen and paper, IT teams raced to restore backups, and the country gained hard lessons in cyber‑resilience.

In February 2024, Romanian doctors and nurses were forced out of their computers when a BackMyData ransomware worm spread through a national medical software system. The national cyber‑security centre ordered 100 hospitals to disconnect from the internet, leaving staff to operate manually with paper records. While IT teams worked to remove the malware and bring systems back online, the hospitals prevented a mass‑patient catastrophe and emerged with a blueprint for future cyber‑attack responses. The event highlighted the need for strong backups, rapid incident response and transparent public communication.

Quick Internet Shutdown Stops a Mass Hospital Hack

On 10 February, the Romanian National Cyber‑Security Centre (DNSC) had to send a frantic directive to every hospital in the country: disconnect from the internet. The order followed an overnight wave of infections that hit the widely‑used Hippocrates medical software, bringing a ransomware strain called BackMyData into every machine that ran the system.

BackMyData is a sophisticated tool that encrypts all files on a victim system and demands a cryptocurrency ransom. In this case, the hackers tried €160,000 (£138,000; $183,000) and pounded on patients’ life‑safety – but the decision to cut the hospitals offline stopped the malware from spreading further and gave the staff a critical breathing space.

Paper, Not Passwords: The Human Rescue Plan

With no internet, mail, or browser, Romanian doctors and nurses had to revert to the most basic clinical tools: a pencil, a whiteboard and hard copy records. At Buzău Hospital, surgeon Oana Goidescu described the shock of losing all patient data, lab results and medication orders at a moment’s notice. Other units – such as Carol Davila in Bucharest – defined offline protocols that let them document each admission on paper and then re‑enter it once the systems were back online.

The manual process was time‑consuming and error‑prone, yet it prevented more than 50 deaths or critical mistakes that could have arisen from corrupted digital records. The article also highlights that several hospitals had recent, reliable backups, which eased the restoration effort.

Cyber‑Experts and Media Keep the Conversation Going

While IT teams worked through the night to purge BackMyData files, the DNSC’s communications officer, Mihai Rotariu, used frequent media briefings to keep both hospital staff and the public informed. The briefings urged non‑essential patients to stay away and advised that no hospital should contact the attackers or pay the ransom.

By 15 February, most infected systems were cleared and the majority of hospitals were back online in near‑normal operation. Some data written into paper during the outage was lost forever, but there was no evidence of serious harm to patients.

Lessons for the Global Healthcare Community

The incident demonstrates why hospitals must not only protect digital systems but also maintain robust paper backup plans. The case is now a benchmark for other countries facing ransomware threats, especially as the FBI lists healthcare as the most targeted critical infrastructure sector.

The BackMyData gang was later cracked in a joint international effort that saw four Russian attackers captured near Russia’s borders, although no official charges have been released. Cyber‑security experts like Alina Bîzgă from Bitdefender warn that hospitals are especially attractive to criminals who seek to disrupt critical services to command higher ransoms.