The Attack
On April 7, 2026, ChipSoft's systems went offline. By the next morning eleven Dutch hospitals had disconnected the company's software from their networks. ChipSoft's HiX platform serves somewhere between 70% and 80% of all Dutch hospitals, with the exact figure varying by outlet but converging around the same order of magnitude. Leiden University Medical Center postponed a major EPD rollout. Sint Jans Gasthuis, Laurentius, VieCuri, Flevo, Rijnstate, and Antoni van Leeuwenhoek detached their ChipSoft integrations as a precaution. Belgian hospitals running the cloud-hosted HiX 365 platform were hit as well.
ChipSoft initially told clients that personal data was "probably" safe. By mid-April the company had confirmed theft. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received 66 data-breach notifications connected to the incident, including one from ChipSoft itself. Attackers later claimed to hold roughly 100 GB of treatment and health information and threatened publication. No ransomware group has publicly claimed responsibility, which is unusual for extortion-driven operators and worth noting as a data point about attacker motivation.
Z-CERT, the Dutch healthcare CERT, issued a statement that "no critical care processes have come to a standstill." The careful phrasing is doing a lot of work. Critical care continued. Records, appointments, billing, referrals across hospital boundaries, and research did not, which matters because hospitals cannot go dark the way a bank or a retailer can without patients ending up in the blast radius.
The Precedent Everyone Should Recognize
This is the second run at the same problem in fourteen months, and the third in four years.
In February 2024 the ALPHV/BlackCat ransomware group took Change Healthcare offline. Change processes roughly half of all U.S. medical claims and touches about 900,000 physicians, 33,000 pharmacies, and 5,500 hospitals. The American Hospital Association reported that some health systems were losing over $100 million per day during the disruption, and 94% of hospitals reported financial impact. The final tally at UnitedHealth was $2.457 billion and roughly 193 million people's records exposed, which remains the largest healthcare breach in U.S. history.
The UK lived its version two years earlier. In August 2022 LockBit compromised Advanced, a third-party software provider running Adastra, the patient-management platform behind NHS 111. The entry point was a contractor credential without multi-factor authentication. NHS 111 staff reverted to pen and paper, a COBR (cabinet-level) crisis meeting was convened, and 82,946 people's data was stolen. The ICO eventually fined Advanced £3.08 million.
Outside healthcare the pattern is the same. When Blue Yonder was hit with ransomware in November 2024, Starbucks lost the ability to calculate employee wages and three major UK supermarket chains had fresh-produce supply chains disrupted through a single shared vendor. Three countries, three sectors, three years. Each time a single third-party vendor sat between national-scale service delivery and the rest of the economy, and each time the vendor's cyber posture became the customer industry's cyber posture within hours.
The Regulatory Blind Spot
The Dutch story has something the U.S. and UK stories do not. A national regulator actually investigated the vendor for market power two years before the attack.
In 2021 the Autoriteit Consument & Markt (ACM), the Dutch competition authority, published an interim market survey identifying ChipSoft as the dominant general-hospital EHR vendor. In 2023 ACM opened a formal investigation into the company's conduct. The regulator's finding, paraphrased from the market survey: regional clusters of hospitals locked into the same HIS/EHR system create market-power concerns that "hinder the switch to another supplier."
The investigation looked at switching costs. It looked at contract lock-in. It looked at whether ChipSoft's pricing was extractive. That is what competition regulators are mandated to look at. Nothing in the public record of that two-year investigation addresses cyber resilience as a function of market share. The regulator was asked whether the market was competitive, not whether the market was concentrated to the point that a single vendor's security incident would cascade into a national healthcare emergency. Those are different questions, and the second one is the question that matters once a ransomware group finds an unpatched credential somewhere in the vendor's stack.
The U.S. benchmark provides scale context: Epic and Oracle Cerner together account for about 85% of hospital EHR market share among large U.S. hospitals with 500 or more beds, and Epic has captured roughly 70% of all U.S. hospital EHR decisions in the most recent year measured. ChipSoft at 70-80% of all Dutch hospitals (not just the large ones) is comparable to or more concentrated than the U.S. large-hospital segment, spread across the entire national hospital population rather than a subset. The U.S. healthcare regulatory update that mattered most recently is the 2025 HIPAA Security Rule overhaul, which finally mandated MFA and encryption controls but still does not require anyone to ask how many hospitals run the same EHR.
Market competition regulators have a methodology for concentration. Cyber regulators have a methodology for incident response. Neither has a methodology for market concentration as cyber risk. That gap is what the ChipSoft attack is going to force into scope.
What Procurement Teams Should Actually Ask
During my time doing M&A vendor due diligence at Houlihan Lokey, the diligence checklist for a mid-cap acquisition target was longer than what most hospital procurement teams run on their third-party EHR. That is upside-down. The M&A team is trying to price downside risk on a single company. Procurement is trying to price downside risk on the entire operating capacity of the acquirer. The same lens I applied to the Mercor vendor-governance gap applies here: vendor risk is a function of what the vendor holds and what the customer cannot operate without, not the category on the procurement form.
Specific questions that would have surfaced the ChipSoft exposure before the ransomware note landed:
- What is the vendor's sub-processor chain, in full? HiX 365 is cloud-hosted. Whose cloud? Whose identity provider? Whose MFA stack? The Advanced/NHS attack entered through a contractor credential without MFA. That was a sub-processor question no one asked.
- What is the vendor's concentration in our market segment, and what is our organization's dependency on their uptime? If the answer is "80% of the industry and we have no offline continuity plan," the contract needs different terms than a contract with a vendor serving 5% of the market. Concentration is a pricing input, not a background fact.
- What is the vendor's own vendor-diligence posture? ChipSoft's security is now the hospital's security. The hospital's vendor-diligence posture on ChipSoft is now part of the hospital's security. Concentration compounds in both directions.
- What is the offline continuity plan, named and rehearsed? Z-CERT's phrasing was precise: critical care did not stop. That is not the same as saying records, scheduling, prescribing, and referrals did not stop. A vendor's definition of "uptime" and a hospital's definition of "operating" are different documents, and the difference is exactly the gap that determines whether an outage is a headache or a crisis.
The procurement gap is not that hospitals did not know ChipSoft was concentrated. The concentration was the selling point. ChipSoft's value proposition to any individual Dutch hospital was that the other hospitals were also on ChipSoft, so interoperability, referrals, and regional transfers worked without custom integration. Vendor concentration produced a local benefit and a national vulnerability at the same time.
That is the pattern the Pentagon encountered with Anthropic and OpenAI supply-chain concentration last year. It is the pattern that Fortinet's fifth zero-day in five months exposed across the enterprise firewall market. The principle translates across sectors: a vendor's concentration is an asset to the customer until the day the vendor has a bad week, and then the concentration is the customer's exposure.
Dutch regulators will update their guidance after this incident. They will probably update it for ChipSoft specifically, and the update will probably focus on incident response and breach notification. The more useful update is the one that treats market concentration as a cybersecurity variable in every sector, not just healthcare, and not just after the vendor has already had its bad week.
