What Happened
On January 13, 2026, AZ Monica hospital in Antwerp, Belgium detected a ransomware infection in its computer systems and shut down all servers at 6:32 AM. The attack forced the cancellation of over 70 surgeries, disrupted chemotherapy treatments, radiological exams, and medical imaging, and led to the transfer of seven critical care patients to other hospitals via the Red Cross.
The incident triggered a broader investigation that revealed five Belgian hospitals had been compromised through a shared patient registration software supplier, with 71,000 personal and login records of patients and healthcare providers found on the dark web.
Impact on Patients
The attack had immediate and severe consequences for patient safety. Over 70 operations were canceled on the first day, and no operations were performed on the second day. Doctors could not access electronic patient records. Chemotherapy treatments were postponed, and radiological exams and medical imaging were suspended. Seven critical care patients had to be transferred to other hospitals. Consultations were disrupted across both AZ Monica campuses in Antwerp and Deurne.
Attack Details
The hospital’s network was infected with ransomware, though AZ Monica reported that no ransom demands had been received at the time of disclosure. Hospital management stated that the prompt server shutdown prevented the leak of patient personal data from the hospital’s own systems.
Bigger Than One Hospital
In the wake of the AZ Monica attack, Belgian security company Secutec discovered a wider breach. At least five Belgian hospitals were victims of a data breach at a shared supplier of patient registration software. Some 71,000 personal and login details of patients and healthcare providers were found on the dark web. The supply chain compromise may have been a factor in or precursor to the AZ Monica ransomware attack.
Investigation
The incident is under investigation by the Belgian public prosecutor’s office, Belgian federal and local police, and the Federal Police’s specialized cybercrime unit.
Timeline
AZ Monica detected ransomware and shut down all servers at 6:32 AM on January 13, 2026. That same day, over 70 surgeries were canceled and seven patients were transferred. On January 14, the hospital continued operating without IT systems and no surgeries were performed. The Belgian public prosecutor confirmed a cyberattack that day. In mid-January 2026, Secutec discovered 71,000 records from five hospitals on the dark web.
Part of a Larger Trend
This attack is part of a persistent trend of ransomware targeting healthcare organizations. Hospitals are high-value targets because patient safety pressures create urgency to restore systems quickly, legacy medical systems often cannot be easily patched, electronic health records are operationally critical with downtime directly impacting care, and healthcare data commands premium prices on dark web markets.
Notable recent healthcare ransomware incidents include the Change Healthcare attack in February 2024, which affected the entire U.S. healthcare payment system, and multiple hospital disruptions across Europe throughout 2025.
What Healthcare Organizations Should Do
Healthcare organizations should assess the cybersecurity posture of shared software suppliers and third-party vendors. Implementing network segmentation between clinical systems, administrative systems, and internet-facing services is essential. Maintaining offline backup and recovery procedures that allow continued patient care during IT outages is critical. Organizations should conduct tabletop exercises specifically for ransomware scenarios affecting clinical operations, establish mutual aid agreements with nearby hospitals for patient transfer during cyber incidents, and ensure patient registration and EHR vendors meet baseline cybersecurity requirements in procurement contracts.