6:32 AM
At 6:32 on the morning of 13 January 2026, the IT team at AZ Monica hospital in Antwerp began shutting down servers. They had seen activity no healthy network should produce and made the decision containment demands: isolate, disconnect, stop the intruder from moving. Reporting during the incident recorded what followed. Seventy operations were cancelled. Emergency care was restricted, ambulances were sent elsewhere and several critical patients had to be transferred.
Disconnecting the network was probably the correct call. It also removed part of the hospital’s working memory in an instant. Staff lost normal access to records, prescriptions, schedules and communications. They returned to paper inside an institution whose routines had been built around digital systems for years. The official phrase is degraded mode. On a ward it means phoning to confirm what used to be on screen, copying information by hand, finding somebody who remembers the workaround and making decisions with less context while the queue grows.
We can spend weeks arguing over the correct label for the incident, which group entered and whether a ransom demand was authentic. For the person waiting for an operation, an ambulance or a test result, the forensic distinction arrived late. The digital attack had already become missed care.
Clinical time cannot be restored from backup
Corporate incident reports count downtime, exposed files and recovery costs. Those figures matter, but they describe a hospital badly. A factory may recover some production tomorrow. A backup may restore a patient record. Neither gives back the six hours during which a scan was delayed, an ambulance travelled farther or a diagnosis waited.
In 2020, a woman needing urgent treatment was diverted away from Düsseldorf after an attack disabled admissions. She died. German prosecutors opened a negligent-homicide investigation, although assigning one death to one intrusion proved much harder in law than observing the material chain. The patient needed to reach a hospital. That hospital could not receive her. The transfer consumed time her body did not have.
That difficulty — putting ransomware on a death certificate — benefits almost everyone with responsibility. Harm is scattered across delays, mistakes, transfers and exhausted staff. Every individual case leaves room for doubt. The combined pattern does not. Taking away the systems through which a hospital coordinates care makes care worse. We do not need a theatrical body count to understand that.
The shift that never appears in the budget
Hospitals are attractive extortion targets because they cannot wait. They hold intimate information, operate continuously and pay for every interruption immediately. Attackers exploit that urgency. Explaining the whole problem through criminal cruelty is still too convenient. We also have to ask who left the institution fragile, and why it stayed that way.
Security competes in budgets already short of nurses, beds and equipment. Its success often looks like nothing happening, which is a difficult purchase to defend against a visible clinical need. A replacement is deferred. An old system remains because the medical device attached to it still works. A patch waits because taking the service down requires a maintenance window nobody can find. Each choice can appear rational alone. Together they manufacture brittleness.
Vendors know this environment. They sell expensive clinical devices tied to software with poor support lifecycles, charge for upgrades or make one component replacement trigger a much larger certification problem. Contractors divide responsibility until nobody holds a complete map of the network. Management signs the risk. Clinical staff inherit it on the night shift.
In 2017, WannaCry disrupted large parts of England’s NHS. Patches and warnings existed, but so did vulnerable machines, incomplete inventories and organisations without the capacity to apply the advice in time. Reports, action plans and promises followed. So did Düsseldorf, Scripps, CommonSpirit, Change Healthcare and AZ Monica. The lesson is learned at every press conference and forgotten in the next budget.
Who can afford room for error
Healthcare security follows healthcare resources. A large network can employ specialists, maintain redundancy, segment systems, rehearse recovery and push back against a supplier. A small or rural hospital may have a handful of people keeping everything alive. Its patients have the same clinical needs; the institution can buy far less margin for error.
When a wealthy network fails, it may redirect work within its own organisation and hire external responders. When the only hospital in reach fails, “diversion” means physical distance. Inequality leaves the spreadsheet and gets into the ambulance.
The ransomware market, meanwhile, has professionalised its own division of labour. Affiliates rent tooling, payment infrastructure, leak sites and negotiating support. Crime acquired a service industry while many defenders remain dependent on exhausted teams and fragmented procurement. The hospital is then told to improve its maturity as though it chose the terms of the contest.
Assign responsibility before the next attack
Hospitals need to patch, segment networks, keep isolated backups and practise recovery. Any plan that never reaches those tasks is smoke. A technical checklist without money, time and named owners is another kind of smoke.
Public funding has to cover the renewal and staff required by public obligations. Procurement contracts should guarantee security support for the clinical life of a product, updates without commercial ransom and prompt disclosure of vulnerabilities. Manufacturers should carry liability when negligent design contributes to patient harm. Recovery also has to be rehearsed with the people who will operate degraded care, not approved in a document nobody opens.
At 6:32, somebody at AZ Monica had the authority to disconnect the network and prevent something worse. The ability to recover is decided much earlier: by who buys, who maintains, who covers an absence, who may stop a server and what happens to patients while it is stopped. If those answers depend on the budget of whichever hospital a person happens to reach, we have accepted that some lives deserve more recoverable systems than others.
The next attack will again be described as an unexpected emergency. It is not. Only the hospital’s name will be new.