Secutec alerted the Cybersecurity Center Belgium and urged affected hospitals and the IT supplier to reset passwords, test backups, and scan for intrusions as part of a coordinated response.

Two primary attack vectors were noted: exploiting unpatched vulnerabilities and password-stealer software, with password-stealers especially risky when admins have broad rights.

The incident underscores the importance of two-factor authentication and Secutec has shared findings with the Belgian Cyber Security Centre.

Around 71,000 records, including patient and care-provider names, addresses, and national registry numbers, were exposed in the breach with the exact publication date described as very recent.

The AZ Monica cyberattack disrupted the hospital’s IT systems, leading to canceled procedures and preventive shutdowns of campus servers in Deurne and Antwerp.

A cybersecurity firm found that a data breach at a supplier of patient registration software affected at least five Belgian hospitals, linked to the AZ Monica attack in Antwerp and involving 71,000 personal and login details exposed on the darknet.

Two-factor authentication is critical to mitigate password-based intrusions, as attackers can still access systems if passwords are compromised.

The root problem is third-party risk from external suppliers and applications, underscoring the need for third-party control audits under the NIS2 directive that has been in effect in Belgium since October 2024.

Secutec notes that Belgian hospitals generally have strong cybersecurity but must audit their providers to manage supply-chain cyber risks in line with NIS2.

Geert Baudewijns, CEO of Secutec, argues that the sector is not universally underprotected and cites a FPS Public Health study suggesting three-quarters of hospitals aren’t mature enough to meet NIS2.

The identities of the affected hospitals were not disclosed by the provider due to confidentiality or ongoing investigations.

A second IT-supplier breach also impacted about 1,000 login details of commercial and government organizations, signaling broader systemic risk beyond healthcare.