Cyber attacks hit two French hospitals in one week

A nurse stands in front of out-of-service computers following a cyber attack on Villefranche-sur-Saône's hospital complex in eastern France on February 16, 2021.
A nurse stands in front of out-of-service computers following a cyber attack on Villefranche-sur-Saône's hospital complex in eastern France on February 16, 2021. © Philippe Desmazes, AFP

Ransomware attacks struck two French hospital groups in less than a week, prompting the transfer of some patients to other facilities but not affecting care for Covid-19 patients or virus vaccinations.


The two French hospitals were stricken with ransomware attacks, and a third pre-emptively cut connections with an IT provider, in less than a week, prompting the transfer of some patients to other facilities.    

The Villefranche-sur-Saône hospital complex in France’s eastern Rhone département (administrative area) announced Monday that a cyber attack had been detected at 4:30am local time. 

The attack by the crypto-virus RYUK, a kind of ransomware, "strongly impacts" the Villefranche, Tarare and Trévoux sites of the North-West Hospital, the hospital said in a statement.

Ransomware is software that blocks data on a computer system that is then made accessible after a ransom payment.

Each hospital site’s team immediately set up limited procedures to ensure the exchange of information necessary for patient care, as well as a crisis unit to organise the operation of all three sites. 

There are no scheduled transfers for patients in intensive care at Villefranche, nor for infants in the neonatal department, and Covid-19 vaccinations are continuing. 

However, Tuesday’s slate of surgeries were postponed, and two sites are coordinating with the regional health agency to refer emergency patients to other facilities.

France’s National Agency for the Security of Information Systems (ANSSI) is helping to investigate the attack. The North-West Hospital’s statement came on the same day that ANSSI said it had discovered a hack of several organisations that bore the hallmarks of a group linked to Russian intelligence.

"This campaign mostly affected information technology providers, especially web hosting providers," ANSSI said in a report.

‘No ransom will be paid’

Monday’s attack in Villefranche follows similar ones on hospitals in Paris, Rouen, Montpellier, Issoudun, Albertville Moutiers, Toulon, and Narbonne during the past year – and just four days after the Dax hospital in the southwest Landes département reported a ransomware attack that took place on February 9.

>> French hospitals hit by ransomware attacks

The Dax hospital’s IT team was still in the “diagnostic stage” of responding to the attack, a staff member in the hospital’s communications office said Tuesday to FRANCE 24.

“It’s advancing,” she said.

France’s health ministry had confirmed to AFP that last week’s attack “paralysed … almost all information systems” at the hospital.

The attack had interrupted radiotherapy due to inoperable computers, said Benjamin Blanc, president of the hospital’s medical commission, at a press conference on February 11. Radiology, the laboratory and the pharmacy were operating at reduced levels but “without any consequences for patients”, while Covid-19 patient care and virus vaccinations were ongoing, Blanc said. 

The Dax cyber attack also affected automated washing cycles and room catering. 

Benôit Elleboode, director general of the regional health agency, called the attack an act of “despicable barbarity” at the press conference.

“No ransom will be paid since it doesn’t guarantee recovery of the codes to recover the data,” Elleboode said. “It would only tempt the pirates to target other hospitals.”

A near-miss at third hospital

An official at the hospital group in the Dordogne département, northwest of Landès, acted fast after an IT supplier reported finding a type of data encryption and file-locking malware in its own servers, according to France 3

“We immediately cut off the networks going to this supplier and noticed that four computers at the hospital centre in Périgueux and two in Lanmary had already been contaminated,” Hugues Alegria, the director of computer systems, told the channel on February 11, the same date officials in Dax discussed the attack at their facility.

"In view of what happened at the Dax hospital, we immediately deactivated the backup servers to protect our back-up data,” Alegria said. 

The Paris public prosecutor's office, which has national jurisdiction over cyber crime, is investigating the attack on the Dax hospital.

A December 2020 ANSSI report said that French healthcare facilities have not been an enhanced target during the pandemic, but also noted “a usual leveraging by cyber criminals of the ongoing pandemic” as well as “the ongoing trend of professionalisation of this type of actor”. 

“Whether they take money from a hospital or from an accountant’s office, it makes no difference to them,” said Jérôme Noton, the head of France’s cyber surveillance program, to France Télévision. 

(FRANCE 24 with AFP)

Daily newsletterReceive essential international news every morning