The ChipSoft attack: what a supplier hack means for your awareness programme

What happened — and why the impact was so large

The attack was discovered on 7 April. A day later there were signals that attackers might have reached patient data; on 16 April ChipSoft confirmed the theft. Late in April the company said the stolen data had been destroyed, though it stayed unclear what happened with any ransom.

The impact was large because a single supplier plays a central role across the entire sector. When roughly seven in ten hospitals use the same EPR, an attack on that supplier hits a large part of national healthcare at once. This is concentration risk: central software means central risk. You saw the same pattern in the Canvas breach in education.

Medical data is a special category of personal data under the GDPR, and a breach involving it must be reported to the supervisory authority within 72 hours. For most hospitals the NIS2 directive also applies, with its duty of care for essential entities — and national CSIRTs coordinate the response across the sector.

The fallacy: 'we have our own house in order'

Many organisations aim their awareness entirely at their own staff: don't click phishing, use strong passwords, report properly. That is necessary, but it covers only half the picture. A significant share of breaches originate at a third party — a software supplier, a processor, an outsourced call centre.

In a supply-chain incident you can have done everything right internally and still be hit. Your people did nothing wrong; the weak link sat with a party you have no direct control over. That feels unfair, but it is the reality of modern IT supply chains.

For awareness professionals this means your programme does not stop at your own front door. You also need to teach staff what a supplier incident means for them and how to respond to it.

What awareness can actually do about supplier risk

You cannot enforce a supplier's security through an e-learning module. But your staff do play a role in the chain. Those who procure or manage contracts decide whether security requirements are part of the deal. Those who use the software daily are the first to notice when 'something is off'.

Awareness in a supply-chain context is about three things: asking suppliers the right questions up front, recognising and reporting anomalies during the work, and knowing your role during an incident when someone else's system goes down.

In healthcare that last point is critical: when the EPR goes offline, staff must know how to fall back on paper-based processes without endangering patient safety. You practise that beforehand, not during the crisis.

Secondary risk: targeted phishing after a healthcare breach

As with other breaches, the theft itself is not the end point. As also became clear after the Odido breach, the targeted phishing often only starts afterwards. Stolen medical data is gold for targeted phishing and extortion, precisely because it is so personal. A fake message 'from the hospital' about an appointment or invoice is extra convincing when it matches your real situation.

After a supplier incident, healthcare staff should therefore be extra alert to messages that ride the news: 'click here to check whether your data was leaked' is a classic follow-up trick.

Communicate about this proactively to your people and to patients: explain which messages you do and do not send, so that fake communication stands out sooner.

How to embed this in your awareness programme

Use the ChipSoft case to make the conversation about supply-chain risk concrete. It maps directly onto the question every healthcare board asks after April 2026: 'what if it happens to us?'

Make supplier risk a recurring theme — not only for IT and procurement, but also for the front-line staff who use the software.

• Audience + cadence: give procurement and contract management a module on supplier security requirements; give care teams an annual fallback drill (EPR down → paper process).
• Define who does what during a supplier incident: report, communicate, fall back — before things go wrong.
• Train staff to recognise follow-up phishing after a breach ('check whether you were leaked' messages).
• Measure whether the fallback procedure really works: how quickly can a department switch over without care grinding to a halt?
• Want to go deeper? See how to anchor this through a security awareness programme.

Related articles

• The Odido breach: one phone call, 6 million people
• The Canvas/Instructure breach: supplier risk in education
• Common data breach scenarios in organizations

FAQ

How can an attack on one company hit so many hospitals?

Because around 70% of Dutch hospitals use the same EPR (ChipSoft's HiX). When so many organisations rely on one supplier, concentration risk arises: an attack on that supplier hits a large part of the sector at once.

What can awareness do when the problem is at a supplier?

Awareness cannot enforce a supplier's security, but it can prepare your people: set the right security requirements during procurement, spot and report anomalies early, and know how to fall back on alternative processes when someone else's system fails.

Why is an EPR fallback drill important?

When the patient-record system goes offline, healthcare staff must be able to fall back on paper or alternative processes immediately, without endangering patient safety. That only works if you have practised it beforehand, not during the crisis itself.

Which rules apply to a breach involving medical data?

Medical data is a special category of personal data under the GDPR, and a breach must be reported to the supervisory authority within 72 hours. For most hospitals the NIS2 directive also applies, with its duty of care, and national CSIRTs coordinate the sector response.