At 02:14 on a Sunday morning in February 2026, a regional hospital was hit by a ransomware attack targeting its information system. Backed by a continuity framework operationalised through ResiPlan, the hospital maintained patient care, contained the threat in less than an hour and restored critical services in 18 hours. Here is the incident story and its lessons.
Background
The organisation is a mid-sized French regional hospital:
- 800 inpatient beds, including 70 critical care beds
- 5,000 staff (medical, nursing, administrative)
- 450 software applications, 38 of them classified as critical
- "Plan blanc" (emergency plan) activated on average 3 times per year since the pandemic
- Certified HDS (Health Data Hosting provider)
The hospital had deployed ResiPlan 14 months before the incident, as part of a resilience programme aligned with NIS2 requirements and ANSSI recommendations for the healthcare sector.
The incident
Detection (00:00 to 00:47)
The initial alert came from an EDR tool flagging abnormal encryption on a file server in radiology. In parallel, the shared SOC detected unusual PowerShell activity on three other servers. Pivoting between the two signals and classifying the event as a "major cyber incident" happened at 00:47, 47 minutes after the first alert.
Initial impact
- 14 servers encrypted, including 2 administrative database servers
- The Electronic Patient Record (EPR) remained accessible but slow
- Imaging (PACS) partially degraded
- Internal email down
- Admissions, billing and medication workflow impacted
Ransom demand
The attacker group demanded a cryptocurrency ransom with a 72-hour countdown. In line with ANSSI doctrine and the hospital's internal policy, the institution immediately decided not to pay.
ResiPlan's role in the response
Reflex card activation (00:47 to 01:30)
The crisis cell lead triggered the cyber IRP from the ResiPlan mobile interface. Reflex cards for the first 40 minutes were pushed to the 12 crisis cell members' devices. Critical actions were tracked live: network isolation (admin VLAN), EPR degraded mode, internal communications plan activation.
Dependency cascade visualisation
The CMDB dependency graph identified in three clicks the 112 business processes potentially affected by the 14 hit servers. Teams prioritised the 28 processes linked to vital care (A&E, operating theatre, critical care) and activated matching degraded procedures.
Recovery plan coordination
IT teams followed the DRP step by step: restoration from verified cold backups (untouched by the attack), rebuild in an isolated environment, integrity testing before production release. Each step was timestamped and documented in ResiPlan for audit and lessons-learned purposes.
Recovery timeline
| Time | Action |
|---|---|
| 00:00 | First EDR signal |
| 00:47 | Classification as major cyber incident |
| 01:15 | Crisis cell activated on-site and remote |
| 01:30 | Network isolation effective, IT "plan blanc" activated |
| 03:00 | Internal communication to all services |
| 04:00 | ANSSI and regional health authority informed, police report filed |
| 08:00 | Stable degraded mode, scheduled activity postponed |
| 14:00 | Restoration of the 2 priority database servers |
| 18:00 | 38 critical applications back in production |
| 72h | Full recovery, except the non-decrypted ransomware artefact |
Results
- Zero patients transferred due to inability to provide care
- No clinical data loss beyond a 2-hour RPO
- Scheduled activity postponed for 48h, caught up in 10 days
- Ransom not paid
- ANSSI and insurer missions completed with a full case file in 5 days
Lessons learned
What made the difference:
- Mobile reflex cards enabled mid-night activation without waiting for the physical crisis room
- CMDB quality reduced impact analysis from hours to minutes
- Quarterly-tested immutable backups proved uncompromised
- The September 2025 ransomware tabletop had drilled the right reflexes
Improvement areas:
- Paper-based degraded admission procedures were outdated, slowing A&E intake
- Network segmentation between medical-technical and administrative zones was reinforced after the incident
- The external media communications plan was fully rewritten following the post-mortem
Learn more
ResiPlan supports more than twenty healthcare institutions in France and Europe. The platform combines mobile reflex cards, dependency cascades, cyber playbooks and structured post-mortems to turn every incident into a resilience asset.
- BCM and business continuity solution
- 10 crisis exercise scenarios to test your BCMS
- Talk to an expert
- Pricing and demo
Case study anonymised with customer consent. Figures, timings and impacts are authentic; the institution's identity is protected.