Hacker attacks on hospitals

In addition to the organizational challenges that a hacker attack poses for a hospital, cyber attacks on hospitals often even directly endanger patient care in hospital operations. The attacks are becoming increasingly professional, especially through ransomware campaigns in which central IT systems are encrypted and ransom is demanded. Sensitive health data is often stolen and published or sold on the darknet. Such incidents require not only immediate technical and organizational measures, but also legally compliant and timely action to meet the resulting extensive legal requirements and minimize liability risks for hospitals.

Hospitals are increasingly being targeted by criminal and state-sponsored hackers, as they are a particularly lucrative target due to their role as part of critical infrastructure. The consequences of a cyberattack are serious: financial losses amounting to millions, lengthy recovery processes, and significant restrictions in medical care—from postponed surgeries to the closure of emergency rooms. In 71% of documented attacks, there were direct impairments to patient care. At the same time, the risk of sensitive health data being disclosed is particularly high.

The legal environment surrounding cyberattacks on hospitals is complex. Data protection law, IT security law, criminal law, and sometimes even civil liability claims by those affected all come into play here. Legal requirements demand good preparation and a systematic, documented approach to detecting and responding to cyberattacks on hospitals.

Data protection law is at the heart of the legal obligations. Hospitals process particularly sensitive data, namely health data within the meaning of the GDPR. A data protection breach occurs as soon as the confidentiality, integrity, or availability of this data is compromised. This is the case, for example, if data is leaked without authorization, manipulated, or is no longer accessible.

If an attacker gains unauthorized access to IT systems and publishes patient data on the darknet, this constitutes a breach of confidentiality. If medical information is manipulated–for example, by feeding in false laboratory values or medication data–the integrity of the data is compromised. If access to digital patient records is blocked by encryption and medical data or treatment plans are temporarily or permanently unavailable, availability is violated.

As soon as such a breach is detected, clinics are obliged to report the incident to the competent data protection supervisory authority within 72 hours of becoming aware of it. As a rule, the patients affected must also be informed. The deadline for reporting begins as soon as there is relevant suspicion, not only after the facts have been fully clarified. If reporting obligations are neglected or fulfilled late, fines may be imposed by the data protection supervisory authorities and there may also be considerable civil liability risks from the patients affected.

The overall legal responsibility for reporting and handling lies with the hospital management. Even if tasks can be delegated to data protection officers and compliance teams or IT security, the organizational responsibility ultimately remains with the management level.

In addition to data protection law, the provisions of IT security law also apply. Hospitals are considered critical infrastructure operators and must ensure that they report significant incidents to the Federal Office for Information Security (BSI). The European NIS2 Directive further tightens these obligations by requiring a three-step reporting procedure.

The initial report must be made no later than 24 hours after an incident is detected. This is followed within 72 hours by a detailed follow-up report, which must also include an assessment of the severity and impact. No later than one month after that, a final report must be prepared documenting the causes and the measures taken.

Reports are not only required when serious disruptions have actually occurred. The mere possibility of a serious incident may be sufficient to trigger a reporting obligation. The aim of the IT security reporting obligation is to ensure comprehensive risk management and the functionality of patient care as part of critical infrastructure.

A cyberattack on a hospital may constitute a criminal offense, for example under Sections 202a et seq., 303a, 303b of the German Criminal Code (StGB) (spying on and altering data, computer sabotage) and Section 263a StGB (computer fraud). Data handling (§ 202d StGB) may also be relevant, especially in the case of the transfer or sale of sensitive health data. Early cooperation with law enforcement authorities – for example, via the central contact points for cybercrime (ZAC) of the state criminal investigation offices – is therefore recommended.

To ensure that communication with investigating authorities, supervisory bodies, and, if applicable, affected parties is legally sound and strategically sensible, it is also advisable to involve specialized legal support at an early stage. In particular, it is important to comply with all legal reporting and cooperation obligations without weakening the legal position of the hospital through hasty or unprotected statements – for example, with regard to potential liability, fines, or recourse claims by affected parties.

In order to comply with all reporting obligations and necessary steps after an incident, hospitals should establish comprehensive incident management. Roles and procedures must be clearly defined. It must be determined who will make the reports in an emergency and which departments will be informed.

Cooperation with IT service providers should be secured by contractual arrangements so that action can be taken quickly and in a coordinated manner in an emergency. Cyber insurance can also play a role here, as immediate damage reporting is essential for support and insurance coverage. The involvement of forensic specialists for investigation and preservation of evidence must also be ensured.

The legal reporting deadlines are tight, the requirements complex – and the liability risk for hospital management considerable. An effective strategy therefore consists not only of technical prevention, but also of a clearly structured and regularly rehearsed crisis organization to reduce the risk of sanctions and fines and to prepare complex stakeholder management for emergencies.

Hospitals should set up incident response teams and practice the associated reporting processes. Existing security and data protection processes must be continuously adapted to current legal requirements so that new legal obligations can be complied with.

Contracts with service providers and insurance companies should also be reviewed with regard to incident management. After an incident, a thorough analysis of the causes is necessary in order to gain insights for future protective measures and to further optimize processes.

Through targeted preparation and forward-looking action, hospitals can effectively prepare for emergencies. In the event of a crisis, existing resources can be pooled to quickly restore patient care, minimize legal risks, and avert economic damage. The legal requirements are high, but with clear organization and well-thought-out processes, they can be met in a practical and legally compliant manner.