Ransomware at ChipSoft: alert for cross‑border care

Lead (who, what, where, when)

On April 29, 2026, ChipSoft, the Dutch vendor of the HiX electronic health record (used by most Dutch hospitals), announced that data exfiltrated during a ransomware attack in early April had been “destroyed” by the attackers, and that no public leak had been observed so far. Dutch media confirm the timeline: attack acknowledged around April 7, then “destruction” communicated on April 29. (source)

Regulatory context

• Health data and GDPR: Medical data are “special category” data (GDPR Art. 9). In case of a breach, controllers must notify the competent authority within 72 hours and, if high risk, inform data subjects; processors may support these duties. For Luxembourg actors (private clinics, health insurers, TPAs, labs, hosting providers), an incident at a foreign supplier may trigger obligations if they process affected patients/insured persons or act as joint controllers/processors within cross‑border care chains.
• NIS2 (health): “Important”/“essential” entities in health and certain critical digital providers must implement enhanced technical and organizational measures and notify significant incidents. Luxembourg has designated the ILR as the NIS competent authority, and health is explicitly covered; cross‑border cooperation (CERT/CSIRT) is expected. (ILR)

Key caution: ChipSoft’s message about data “destruction” does not equal absence of risk. Between exfiltration and the alleged purge, copies may have circulated; treat this as a confirmed breach and apply GDPR/NIS2 risk tests, not a presumption of safety. Dutch media also reported operational impact (portals disconnected, HiX in degraded mode) in the days following the attack. (source)

What this changes for companies in Luxembourg

• Cross‑border care and billing: Many Luxembourg residents receive care in Belgium, Germany or the Netherlands. If a Dutch hospital using HiX shared reports, prescriptions, lab results, or administrative identifiers with a Luxembourg provider (or a Luxembourg insurer), indirect exposure cannot be ruled out. Luxembourg controllers should verify whether data of their patients/insured persons transited via HiX/ChipSoft or related interconnections. (source)
• Sub‑processing chain: Even without a direct contract with ChipSoft, you may be involved via a partner (cross‑border hospital, rehab center, telemedicine network, imaging vendor). Precisely map data flows and sub‑processors.
• Governance and evidence: Authorities (CNPD/sister DPAs) will request proof of risk analysis, supplier due diligence, and the criteria used to notify (or not) data subjects. Under NIS2, leadership must demonstrate oversight of cybersecurity risks and the effectiveness of measures. (ILR)

Concrete actions to take this week

• Obtain written impact statements from cross‑border partners/insurers: which systems (including HiX/HiX 365) were involved, which data categories may have transited, which shared identifiers (national IDs, CNS, IBAN, contact details) are affected; request IOCs and the exposure window to cross‑check your logs. (source)
• Launch a mini “care‑chain” audit: update your records of processing (RoPA), GDPR agreements (DPAs), and vendor risk assessments; prepare, if needed, a CNPD notification and data subject information based on a documented risk test (including the scenario of exfiltration without public leak).
• Test incident management under real conditions: table‑top exercise “exfiltration at an EHR supplier,” verify business continuity plans (degraded access to patient records), check interop logs (IHE, HL7, FHIR), and monitor leak/ransomware sites to detect any later disclosure. (source)

Sources

• DutchNews.nl
• NL Times

Note

The “destruction” information comes from ChipSoft’s public statements echoed by Dutch media on April 29–30, 2026; no authority has publicly confirmed a complete absence of risk. Controllers should fulfill GDPR/NIS2 duties based on a documented risk analysis, regardless of these statements.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.