ChipSoft Ransomware Attack Cripples 80% of Dutch Hospitals — Patient Portals Go Dark

A devastating ransomware attack on ChipSoft, the dominant electronic patient record (EPR) provider in the Netherlands, has forced approximately 80% of Dutch hospitals to disconnect their systems as of April 10, 2026. The attack triggered a coordinated national emergency response as patient portals went offline and clinical workflows ground to a halt.

Hospitals across the country were forced to fall back on manual processes, with staff unable to access digital patient records, medication lists, or scheduling systems. The Dutch National Cyber Security Centre (NCSC) issued an emergency advisory, and the Ministry of Health activated crisis protocols. The identity of the ransomware group behind the attack has not been publicly confirmed, and it remains unclear whether patient data was exfiltrated in addition to being encrypted.

Source

Reported by Diesec and multiple Dutch media outlets on April 10, 2026.

Commentary

This is a textbook example of catastrophic single-vendor dependency in critical infrastructure. When one EPR provider serves 80% of a nation’s hospitals, compromising that provider doesn’t just breach one organization — it functionally disables an entire country’s healthcare system. The Netherlands is now learning the hard way what happens when supply chain concentration meets ransomware.

Expect this incident to accelerate conversations across Europe about mandatory vendor diversification in healthcare IT. The bigger question: how many other countries have similarly concentrated dependencies in their health systems that simply haven’t been tested yet?