Back to Blog

ChipSoft Hit by Ransomware: 76% of Dutch Hospitals Rely on This One EPD Vendor

April 8, 2026 12 min read Security, Healthcare, Ransomware

On April 7, 2026, ChipSoft - the company behind the HiX electronic patient record (EPD) used by 76% of all Dutch hospitals - was hit by a ransomware attack. Z-Cert, the Dutch healthcare cybersecurity center, immediately advised hospitals to disconnect their VPN connections to ChipSoft. The attack affected ChipSoft's cloud infrastructure, including their SaaS Patient Portal and GP software tenant.

ChipSoft spokeswoman Floor Waalkens confirmed the incident with a terse statement: "We have it under investigation." Throughout the day, hospitals received almost no further communication from the company that controls the digital backbone of Dutch healthcare.

This is not just another ransomware story. This is a single point of failure for an entire nation's healthcare system. When one company controls three-quarters of all hospital patient records, a breach there is a breach everywhere.

Developing situation: ChipSoft has confirmed the ransomware attack but has provided limited details. The full scope of affected systems and any potential patient data exposure remains unclear.

What We Know So Far

The ransomware was discovered on ChipSoft's infrastructure on the morning of April 7, 2026. Here is what has been confirmed:

  • Ransomware attack confirmed on ChipSoft's infrastructure
  • Z-Cert advisory: hospitals told to disconnect VPN connections to ChipSoft immediately
  • Cloud tenant compromised: the cloud environment for general practitioner (GP) software was affected
  • Multiple products affected: HiX on-premise, HiX SaaS, and the SaaS Patient Portal hosted by ChipSoft
  • Minimal communication: ChipSoft provided very little information throughout the day

The Z-Cert advisory to disconnect VPN connections is particularly significant. It means the healthcare cybersecurity center considered the risk of lateral movement - the ransomware spreading from ChipSoft's network into hospital networks via trusted VPN tunnels - serious enough to warrant immediate disconnection.

ChipSoft: The Monopoly Behind Dutch Healthcare IT

To understand why this attack matters so much, you need to understand ChipSoft's stranglehold on the Dutch healthcare market.

ChipSoft was founded in 1986 and has grown into the dominant provider of electronic patient records in the Netherlands. Their flagship product, HiX (Healthcare Information Exchange), is an integrated EPD that manages everything from patient registration and medication to lab results, imaging, and billing.

Market Share: A Near-Monopoly

EPD Vendor Market Share (2026) Status
ChipSoft (HiX) 76% Growing (up from 71% two years ago)
Epic Systems 16% Distant second, American company
Nexus (Germany) ~5% Losing ground
SAP/Cerner 0% Exited the Dutch market entirely

The numbers tell a clear story: there is no realistic alternative for most Dutch hospitals. Epic is American (with geopolitical implications for healthcare data), Nexus is shrinking, and SAP/Cerner gave up entirely. Switching EPD vendors takes years and costs millions. ChipSoft knows this. The hospitals know this.

This is the cybersecurity equivalent of putting all your eggs in one basket - and then discovering that basket has holes.

A Pattern of Problems: ChipSoft's Troubled History

The ransomware attack does not exist in a vacuum. ChipSoft has a documented history of problems that make this incident particularly alarming.

"Dodelijke Zorg" - The Documentary That Exposed ChipSoft

In September 2022, KRO-NCRV aired a devastating 2Doc documentary called "Dodelijke Zorg" (Deadly Care). Investigative journalist Wilfried Koomen spent three years researching Dutch hospital software. His findings were alarming:

  • Doctors reported that hundreds of patients may die annually due to defective EPD software - sometimes with fatal consequences
  • HiX allegedly lacks adequate safety controls to prevent medication errors, with insufficient mechanisms to catch dangerous drug interactions
  • ChipSoft actively blocks data exchange with competing platforms to protect its monopoly position, forcing dangerous manual re-entry of patient data
  • The company allegedly uses inexperienced developers to keep costs down, despite building software that handles life-or-death medical decisions
  • ChipSoft's leadership was described as running a "reign of intimidation" (schrikbewind), suppressing any form of criticism or negative reporting
  • Hospitals reported unreasonably high charges for extensions, improvements, and sometimes trivial maintenance or configuration changes
  • The filmmaker interviewed 50+ doctors, administrators, IT professionals, and former employees - most anonymously out of fear of retaliation

ChipSoft responded on its website, stating it "does not recognize the image" painted by the documentary, calling the allegations "untruths." Regarding patient deaths caused by software errors: the company said this was "not known" to them.

The Gag Clauses

Why did most people speak anonymously? Because ChipSoft's contracts contain non-disclosure clauses (zwijgclausules) that prohibit hospitals from discussing their relationship with ChipSoft - under penalty of EUR 50,000 per violation. When your software vendor can fine you for talking about problems with their software, something has gone fundamentally wrong.

The UMCG Court Battle

When hospitals in Northern Netherlands (including the University Medical Center Groningen, UMCG) attempted to switch from ChipSoft to competitor Epic, ChipSoft took them to court. The court initially sided with ChipSoft, ruling that the hospitals needed to run a new procurement procedure. The case went to appeals, with the Court of Arnhem-Leeuwarden eventually suspending the penalties. The message was clear: leaving ChipSoft is not just expensive - it comes with legal risk.

Insider Reports: Internal Security Concerns

Following the ransomware news, people identifying as current and former ChipSoft employees described concerning internal security practices:

  • Poor network segmentation: development machines reportedly sitting on the same network as production systems
  • Dev machines with direct internet access alongside production infrastructure
  • No remote work policy: all employees required to work on-site, concentrating all access in one location
  • Outdated security posture that did not match the sensitivity of the data they handle

Context: These are unverified claims from anonymous sources. However, the fact that Z-Cert immediately advised hospitals to disconnect VPN connections suggests that the security boundary between ChipSoft and hospital networks was a known area of concern. If ChipSoft's internal network was properly segmented, the VPN disconnect advisory would have been less urgent.

The Supply Chain Risk: Why VPN Disconnection Matters

Z-Cert's advice to disconnect VPN connections reveals the core vulnerability: trusted network connections between ChipSoft and hospitals.

How ChipSoft Connects to Hospitals

Many hospitals maintain permanent VPN tunnels to ChipSoft for:

  • Software updates and patches: hospitals download HiX updates directly from ChipSoft
  • Remote support: ChipSoft engineers can access hospital HiX installations for troubleshooting
  • SaaS connectivity: hospitals using HiX SaaS connect to ChipSoft-hosted infrastructure
  • Data synchronization: patient data flows between on-premise and cloud components

When a ransomware group compromises the vendor side of these VPN connections, those trusted tunnels become attack vectors. The ransomware can potentially traverse the VPN to reach hospital networks - networks that trust ChipSoft implicitly because they have to.

The E-Zorg Network Factor

Dutch healthcare runs on the E-Zorg network - a closed VPN connecting over 5,000 healthcare locations including 95% of all pharmacists, 85% of general practitioners, and 65% of hospitals. E-Zorg is physically separated from the public internet, which is normally a security advantage.

But when a major node on that closed network is compromised, the isolation works both ways. The E-Zorg network becomes a potential propagation path. If ransomware reaches the internal healthcare network, it has access to an environment that is specifically designed to be trusted and interconnected.

Supply chain parallel: This is the same attack pattern that made the SolarWinds attack so devastating: compromise the vendor, and you compromise every customer that trusts the vendor's software updates. ChipSoft serves 76% of Dutch hospitals. A compromised update mechanism could theoretically affect them all.

Healthcare Ransomware: The Human Cost

Ransomware attacks on healthcare are not abstract cybersecurity incidents. They have direct consequences for patient care.

Recent Precedents

Incident Date Impact
ChipSoft (Netherlands) April 2026 76% of Dutch hospitals affected, VPN disconnection advisory, full scope unknown
AZ Monica (Belgium) January 2026 70+ surgeries cancelled, 7 critical patients evacuated, emergency services shut down
Change Healthcare (USA) February 2024 100M+ patient records exposed, $22 million ransom paid, months of healthcare billing chaos
Conduent (USA) January 2025 8.5TB stolen by SafePay ransomware, government services disrupted, tens of millions affected

The AZ Monica attack in Belgium three months ago provides a stark preview: within hours of the ransomware hitting, 70+ surgeries were cancelled, 7 critical patients were evacuated to other hospitals, and emergency services were shut down across two campuses. Chemotherapy treatments were postponed. Radiological exams stopped. It took over a month to restore systems.

The ChipSoft situation is potentially far worse. AZ Monica was a single hospital. ChipSoft is the central nervous system for three-quarters of all Dutch hospitals.

What Patient Data Is at Risk?

An EPD system like HiX contains the most sensitive personal data imaginable:

  • Personal identification: name, date of birth, BSN (citizen service number), address, insurance details
  • Medical history: every diagnosis, treatment, surgery, and consultation
  • Medications: current and historical prescriptions, allergies, interactions
  • Lab results: blood work, pathology, microbiology
  • Medical imaging: X-rays, MRIs, CT scans, ultrasounds
  • Mental health records: psychiatric evaluations, therapy notes
  • Clinical notes: physician observations, treatment plans, prognosis

Under GDPR, health data is classified as a "special category" of personal data with the highest level of protection. Unlike a stolen password or credit card number, medical records cannot be changed or cancelled. If your complete medical history is leaked, that information is out there forever.

Modern ransomware groups increasingly use double extortion: they exfiltrate data before encrypting it, then threaten to publish the stolen data if the ransom is not paid. If this pattern applies to the ChipSoft attack, patient records from the majority of Dutch hospitals could be at stake.

What Can You Do?

Be Aware That Your Hospital Data May Be Affected

If you have been treated at any Dutch hospital, there is a 76% chance that your EPD is managed by ChipSoft's HiX system. You cannot opt out of your hospital maintaining an EPD. What you can do is be alert for any unusual activity: phishing attempts using your medical information, identity theft using your BSN, or fraudulent insurance claims.

Monitor Official Communications

Watch for updates from your hospital, ChipSoft, Z-Cert, and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Under GDPR, organizations must notify affected individuals of a data breach without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Protect Your Online Identity

Medical data breaches often lead to targeted phishing campaigns. Attackers who know your medical conditions, medications, or recent hospital visits can craft extremely convincing phishing emails. Protect yourself:

  • Use unique, strong passwords for healthcare portals (MijnZiekenhuisPortaal, MijnOverheid, DigiD)
  • Enable two-factor authentication on all accounts, especially DigiD
  • Be skeptical of emails or calls referencing your medical information
  • Check what your IP address reveals about you - if attackers correlate medical records with IP-based location data, they can build a complete profile

Use a VPN for Healthcare Portal Access

When accessing patient portals or healthcare websites, your IP address reveals your location and ISP. Combined with leaked medical records, this creates a detailed profile. A VPN like NordVPN masks your real IP address and encrypts your connection, adding an extra layer of protection when accessing sensitive healthcare data online.

Privacy tip: Check what your IP address reveals at myip.foo and test for DNS leaks that could expose your browsing activity to your ISP. Healthcare portal visits reveal sensitive information about your medical situation - make sure that data is protected.

The Bigger Picture: Healthcare IT Monopolies Are a National Security Risk

The ChipSoft attack highlights a systemic problem that goes beyond one company:

  • Market concentration: 76% market share means a single vendor failure affects the majority of healthcare infrastructure
  • Vendor lock-in: switching costs of millions plus years of migration, reinforced by gag clauses and legal action against hospitals that try to leave
  • Opacity: non-disclosure agreements prevent public discussion of security issues, meaning hospitals cannot learn from each other's experiences
  • No competition: SAP/Cerner left the market, Nexus is shrinking, and ChipSoft actively litigates against hospitals adopting Epic
  • Supply chain dependency: hospitals depend on ChipSoft for patches, updates, and maintenance - all potential attack vectors

The Dutch Authority for Consumers and Markets (ACM) investigated ChipSoft for monopolistic behavior in 2023. The 2Doc documentary exposed gag clauses and intimidation. Hospitals have taken ChipSoft to court and lost. And now, the infrastructure that connects 76% of Dutch hospitals to their EPD vendor has been compromised by ransomware.

This should be a wake-up call - not just for ChipSoft, but for every country that allows critical healthcare infrastructure to become dependent on a single vendor.

Common Questions

What happened to ChipSoft?

On April 7, 2026, ChipSoft was hit by a ransomware attack. Z-Cert, the Dutch healthcare CERT, advised hospitals to disconnect VPN connections to ChipSoft immediately. The attack affected ChipSoft's cloud tenant for GP software, HiX on-premise, HiX SaaS, and the SaaS Patient Portal. ChipSoft confirmed the incident but provided limited information.

Which hospitals are affected?

ChipSoft has a 76% market share in the Dutch hospital EPD market. Z-Cert advised all hospitals with VPN connections to ChipSoft to disconnect. The full extent of the impact is still under investigation, but the majority of Dutch hospitals use ChipSoft's HiX system and are potentially affected.

What is Z-Cert?

Z-Cert is the Computer Emergency Response Team for the Dutch healthcare sector. They monitor cybersecurity threats targeting healthcare organizations and coordinate incident response. Their advisory to disconnect VPN connections indicates they considered the lateral movement risk from ChipSoft's compromised infrastructure to hospital networks to be serious.

Is my patient data at risk?

It is unclear. ChipSoft's HiX system contains complete electronic patient records. Modern ransomware groups frequently exfiltrate data before encrypting, using it for double extortion. If you have been treated at a Dutch hospital, there is a 76% chance your EPD is in ChipSoft's system. Monitor official communications from your hospital and the Dutch Data Protection Authority for breach notifications.

Why is ChipSoft's market dominance a cybersecurity risk?

With 76% market share, a single attack on ChipSoft can affect most of Dutch healthcare IT. Hospitals depend on ChipSoft for patches and updates, creating supply chain risk. ChipSoft's gag clauses prevent hospitals from sharing security information with each other. And the lack of competition means hospitals cannot easily switch to a more secure vendor, even after an incident like this.

Conclusion

The ChipSoft ransomware attack exposes what happens when critical infrastructure becomes a monopoly. A single company controls the medical records of 76% of Dutch hospitals, enforces silence through gag clauses, sues hospitals that try to leave, and - according to insider reports - maintained inadequate internal security practices.

Key takeaways:

  • ChipSoft, the maker of the HiX EPD used by 76% of Dutch hospitals, was hit by ransomware on April 7, 2026
  • Z-Cert advised hospitals to immediately disconnect VPN connections to ChipSoft
  • The attack affected HiX on-premise, HiX SaaS, the SaaS Patient Portal, and the GP cloud tenant
  • ChipSoft provided minimal communication throughout the incident
  • ChipSoft has a troubled history: the "Dodelijke Zorg" documentary, EUR 50K gag clauses, and lawsuits against hospitals trying to switch vendors
  • Patient data in EPD systems is the most sensitive personal data possible and cannot be "reset" like a password
  • The supply chain risk is enormous: 76% of hospitals rely on ChipSoft for patches and updates
  • Healthcare IT monopolies are a national security risk that regulators have failed to address
  • The Belgian AZ Monica attack (January 2026) showed what hospital ransomware looks like: 70+ cancelled surgeries, evacuated patients, weeks of disruption

The Netherlands has allowed its healthcare IT to become dangerously dependent on a single vendor. This ransomware attack is the consequence of that dependency. Whether patient data was stolen, how far the ransomware spread, and how long the disruption lasts - these are the questions that will determine whether this is a wake-up call or a catastrophe.

Protect yourself after a healthcare data breach:

  1. Enable two-factor authentication on DigiD and healthcare portals
  2. Check what your IP reveals at myip.foo
  3. Test for DNS leaks when browsing healthcare portals
  4. Test for WebRTC leaks bypassing your VPN
  5. Encrypt your internet traffic with a VPN like NordVPN

Related Articles