No scr​​​​​​​eens, no systems: How 100 hospitals turned to pen and paper to fight a cyberattack

When hackers attacked Romania’s hospital systems, officials took an unusual step — they switched off the internet at more than 100 hospitals to stop the attack from spreading.

The move protected hospital networks but forced doctors and nurses to return to paper records, manual processes and offline tools while cybersecurity teams worked to bring systems back, according to a report by The BBC. 

The February 2024 attack became one of the biggest cyber-attacks on healthcare systems in recent years and showed how hospitals can keep working when technology suddenly goes down.

Don't Miss: Monsoon 2026: Dust storms, strong winds sweep Delhi; IMD issues red alert

A nationwide shutdown to stop hackers

At Bucharest’s national cyber-security centre (DNSC), officials watched as hackers moved through hospital networks using vulnerabilities in medical software.

Cyber-chief Dan Cimpean made the decision to disconnect hospitals from the internet before the attackers could spread further.

The move stopped the hackers from gaining more control, but it also forced hospitals to operate without digital systems.

Doctors could no longer access patient records, order tests digitally or use online hospital tools. IT teams raced to understand the attack while medical staff created temporary systems to continue treating patients.

Hospitals returned to paper records

Surgeon Oana Goidescu was working at Buzău Hospital, around 120km north-east of Bucharest, when staff were alerted that attackers had breached Bucharest-based software company RSC.

The hackers had entered a medical system called Hippocrates, which hospitals used for everything from patient admissions and pharmacy management to test results and payroll.

"It was quite an unpleasant experience, because an IT record is not just a list of patients," she said. "For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone."

The attackers had deployed ransomware called BackMyData, which scrambled files and demanded payment in bitcoin.

Staff at Pitești children's hospital were among the first to notice problems on Sunday morning, a day after the attack started. By Monday morning, more hospitals reported that their systems had stopped working.

Doctors built offline systems to keep care running

With digital records unavailable, hospitals created manual processes to avoid disruption.

"When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient," said Vlad Paic from Carol Davila Hospital in Bucharest.

"We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected."

Some doctors said Romania’s recent shift towards digital healthcare helped them adapt, as staff still remembered older manual methods.

Cyber investigators worked overnight and found that 26 hospitals had been infected with BackMyData.

Attackers demanded ransom, but Romania refused to pay

The hackers demanded €160,000 (£138,000; $183,000) in bitcoin.

Authorities decided not to negotiate or pay the ransom. Instead, hospitals worked with IT teams to restore systems using backups.

Most hospitals had relatively recent copies of their data, which helped speed up recovery.

Within five days, most hospitals were back online and operating close to normal. No deaths or serious patient harm were reported, although staff spent weeks transferring paper records back into digital systems. Some data was permanently lost.

Why hospitals are becoming a target

Cybersecurity experts say healthcare systems are increasingly targeted because disruption can create pressure on organisations to pay quickly.

The FBI has warned that healthcare is now one of the most targeted areas of critical national infrastructure.

Alina Bîzgă from Bucharest-based cyber-security firm Bitdefender said criminals target hospitals because they handle essential services.

"Hospitals handle critical services, and the criminals think that the more disruption that can be caused, the more likely they are to get paid a ransom," she said.

The attack in Romania follows similar incidents worldwide, including attacks on healthcare providers in the US and UK.

Romania’s cyber chief Dan Cimpean said the risk increases as more services move online.

"The more technology you have, the more digitised you are, the greater the risk," he said.