Hospital patient data may have been stolen during the ransomware attack on software provider Chipsoft, sources told NOS.

Chipsoft supplies software for the storage of patient records to Dutch hospitals and house doctors. Sources in the company initially reported that the hack only affected GP records and that the hospital records were safe, but now say that it cannot be ruled out that the hackers gained access to the data of some hospitals.

This applies to hospitals that use Chipsoft’s HIX365 platform to give patients access to their records. Traffic to and from the patient records runs through Chipsoft’s servers. The hackers may have gained access to that traffic, the sources said.

Around 15 Dutch hospitals use HIX365, including the Franciscus Gasthuis in Rotterdam and the Albert Schweitzer Hospital in Dordrecht, according to the broadcaster. Chipsoft has advised these hospitals to file a report of a possible data leak with the Dutch Data Protection Authority (AP).

The AP confirmed to NOS that it has received reports from multiple hospitals, but would not elaborate further due to the ongoing investigations.

Sources also told the broadcaster that Chipsoft took extra security measures last week after external security experts were hired. This included taking the HIX365 patient sites offline and instructing hospitals to delete or password-protect all accounts that Chipsoft support staff could use to log in to the hospitals.

The patient portals supplied by Chipsoft were still offline on Wednesday morning. As a result, patients at the affected hospitals cannot view their records online. Online check-ins at hospitals are also not possible.