Security company Secutec has discovered that at least five Belgian hospitals have been victims of a data breach at a supplier of patient registration software. A total of 71,000 personal and login details of patients and healthcare providers were found on the darknet. But that’s not all: a second breach at an IT supplier affected another 1,000 login details of commercial and government organizations.
The investigation was launched in response to the cyberattack on the AZ Monica hospital in Antwerp. During its darknet investigation, Secutec’s security operations center tracked down four other affected healthcare institutions. They all used the same online patient registration software, and apparently, they were not the only ones.
Geert Baudewijns, CEO of Secutec, questions the perception that the healthcare sector does too little in terms of cybersecurity. According to a study by the FPS Public Health, three out of four Belgian hospitals are not sufficiently mature to comply with NIS2. “The healthcare sector is often quick to be blamed,” he responds. “In reality, cybersecurity in Belgian hospitals is of the highest level, with the necessary security systems in place.”
The danger lies with third parties
According to Baudewijns, the real problem lies elsewhere. Hospitals and other organizations often rely on online applications from external suppliers. These suppliers can be hacked or negligent, posing a potential cyber threat. The European NIS2 cybersecurity directive, which has been in force in Belgium since October 2024, therefore requires third-party control audits.
“Some hospitals in our country could do better in this area,” says Baudewijns. The second data breach discovered by Secutec shows that organizations outside the healthcare sector also need to monitor their suppliers more closely.
Password stealers as dangerous as vulnerabilities
According to Secutec, data breaches and cyberattacks occur in two ways: through new or unpatched vulnerabilities, or through password stealers (software that literally steals passwords). Both types of intrusion occur with equal frequency. According to the company, password-stealing attacks are commonplace in large organizations.
“Technicians are often given full administrator rights to perform all necessary IT interventions,” explains Baudewijns. “Unfortunately, they sometimes unintentionally install a hidden password stealer. If it concerns an IT supplier, the consequences cannot be overestimated.”
According to the CEO, this emphasizes the importance of two-factor authentication. Even if the hacker has the password, the double confirmation is only done by the legitimate user.
Secutec has since informed the Cybersecurity Center Belgium of its findings. The four other hospitals and the IT supplier were also notified. It advised them to reset passwords, test backup systems, and scan networks for possible intrusions.