AZ Monica hospital in Antwerp, Belgium, was forced to shut down all servers, cancel over 70 medical procedures, and transfer critical patients to other facilities following a cyberattack detected on January 13, 2026. The incident prompted the Flemish government to pledge €10 million for hospital cybersecurity improvements.
Incident overview
| Attribute | Details |
|---|---|
| Victim | AZ Monica hospital |
| Location | Antwerp and Deurne, Belgium |
| Attack type | Ransomware (confirmed) |
| Detection time | 6:30 AM, January 13, 2026 |
| Server shutdown | 6:32 AM |
| Operations cancelled | 70+ on day one |
| Critical patient transfers | 7 |
| Appointments cancelled | 8,000+ |
| Recovery status | Reopened at half capacity |
Timeline
| Time/Date | Event |
|---|---|
| 6:30 AM, Jan 13 | Staff notice serious IT failure |
| 6:32 AM, Jan 13 | All servers disconnected |
| Morning, Jan 13 | 70 planned operations cancelled |
| Morning, Jan 13 | 7 critical patients transferred with Red Cross support |
| Day 2 | Operations still cancelled; chemotherapy patients sent to Amsterdam |
| Jan 18 | Prime Minister De Croo convenes crisis meeting |
| Following weeks | Hospital reopens at half capacity |
| February | Wage recalculations expected |
Patient care impact
Immediate disruptions
| Impact | Details |
|---|---|
| Operations cancelled | 70+ on day one; none on day two |
| Patients sent home | ~70 patients |
| Critical transfers | 7 patients moved to other hospitals |
| Chemotherapy | 150 oncology patients transferred to Gasthuiszusters Antwerpen |
| Urgent chemo cases | Treated at University Hospital of Amsterdam |
| MUG/PIT services | Mobile emergency teams temporarily unavailable |
| Appointments cancelled | 8,000+ with rescheduling letters mailed |
Affected services
| Service | Status |
|---|---|
| Radiological examinations | Postponed |
| Medical imaging | Unavailable |
| Chemotherapy treatments | Transferred to other facilities |
| Scheduled surgeries | Cancelled |
| Non-urgent appointments | Postponed |
| Laboratory systems | Offline |
| Electronic medical records | Inaccessible |
No deaths were linked to the disruptions, according to hospital logs.
Nature of the attack
Belgian authorities confirmed the attack used ransomware:
| Attribute | Details |
|---|---|
| Attack type | Ransomware |
| Ransom demand | Unconfirmed reports; not officially acknowledged |
| Data exfiltration | Under investigation |
| Attribution | Unknown |
The hospital operates two campuses in Antwerp and Deurne, both affected by the attack.
Medical impact statement
Chief physician Jean-Paul Sion described the operational impact:
“A wide range of examinations and treatments had been postponed due to the incident, including radiological exams, medical imaging and chemotherapy treatments.”
The shutdown of electronic patient files forced staff to revert to paper-based processes for essential care.
Staff and financial impact
The cyberattack created significant payroll challenges:
“Since the cyberattack, shifts, overtime, weekend shifts, and exchanges can’t be registered correctly. The reality is that the hospital is currently unable to calculate wages correctly.” — Tijl Denis, BBTK/ABVV trade union
Payroll solution
| Measure | Details |
|---|---|
| Interim payment | 90% of December wages |
| Basis | December used as benchmark |
| Recalculation | Expected February when systems restored |
| Affected staff | All hospital employees |
Response
Hospital actions
| Action | Purpose |
|---|---|
| Immediate server shutdown | Contain ransomware spread |
| Police notification | Criminal investigation |
| Prosecutor notification | Legal proceedings |
| Paper-based processes | Maintain critical functions |
| Peer hospital coordination | Patient care continuity |
| Red Cross support | Critical patient transfers |
Government response
| Action | Authority |
|---|---|
| Crisis meeting | Prime Minister Alexander De Croo (Jan 18) |
| Task force established | National coordination |
| €10 million pledge | Flemish Minister for Health Hilde Crevits |
| Mandatory reporting proposal | 24-hour incident notification requirement |
Belgian healthcare threat landscape
Belgium recorded 45 healthcare cyber incidents in 2025—a 30% increase from 2024, according to the Centre for Cybersecurity Belgium (CCB).
Attack frequency
| Metric | Value |
|---|---|
| Healthcare attacks per week (Q2 2025) | 2,620 attacks |
| Sector ranking in Belgium | Hardest hit sector |
| Year-over-year increase | 30% |
Healthcare organizations experienced an average of 2,620 attacks per week in the second quarter of 2025, making the sector the hardest hit in Belgium.
Recent Belgian hospital attacks
| Hospital | Date | Impact |
|---|---|---|
| UZ Gent | 2025 | Operations disrupted |
| CHU Saint-Pierre | 2025 | Systems offline |
| AZ Monica | January 2026 | Full shutdown, patient transfers |
European healthcare targeting
| Country | Recent incidents | Pattern |
|---|---|---|
| Belgium | 45 in 2025 (+30%) | Increasing |
| Germany | Multiple hospital attacks | Significant |
| France | Healthcare ransomware surge | Growing |
| UK | NHS repeated targeting | Persistent |
Why hospitals are targets
| Factor | Attacker benefit |
|---|---|
| Pressure to restore operations | Patient care can’t wait; creates ransom payment pressure |
| Valuable data | Medical records command premium prices on dark web |
| Complex IT environments | Legacy systems, medical devices, interconnected departments |
| Understaffing | Healthcare IT often resource-constrained |
| 24/7 operations | No maintenance windows for security updates |
| Life-safety systems | Maximum leverage for extortion |
| Insurance coverage | Often have cyber insurance with ransomware coverage |
Healthcare data value
| Data type | Dark web value |
|---|---|
| Medical records | $250-$1,000+ per record |
| Insurance information | High fraud potential |
| Prescription data | Drug diversion |
| Identity documents | Identity theft |
Regulatory requirements
European healthcare providers face strict requirements:
| Regulation | Requirement |
|---|---|
| GDPR | Breach notification within 72 hours |
| NIS2 Directive | Critical infrastructure security obligations |
| Belgian law | Health-specific regulations |
| New proposal | 24-hour mandatory incident reporting |
Recovery challenges
Healthcare incident response requires balancing competing priorities:
| Tension | Challenge |
|---|---|
| Patient safety vs. data protection | Restore care functions vs. secure investigation |
| Maintaining critical care vs. preventing exfiltration | Keep systems running vs. contain threat |
| Communication with patients vs. technical recovery | Transparency vs. operational focus |
| Regulatory compliance vs. operational restoration | Notification requirements vs. recovery speed |
AZ Monica reopened at half capacity in the weeks following the attack, indicating prolonged recovery timelines.
Recommendations for healthcare organizations
Preparation
| Control | Purpose |
|---|---|
| Offline backup systems | Enable critical functions during IT outage |
| Tested incident response plans | Know what to do before an attack |
| Network segmentation | Contain ransomware spread |
| EDR on all endpoints | Detect ransomware before encryption |
| Staff security training | Reduce phishing success |
| Medical device isolation | Protect life-safety systems |
Resilience measures
| Measure | Benefit |
|---|---|
| Peer institution relationships | Mutual aid for patient transfers |
| Critical system identification | Know what must stay running |
| Paper-based fallback plans | Operations during extended outages |
| Pre-negotiated IR retainers | Rapid expert response |
| Regular tabletop exercises | Practice response procedures |
Detection and response
| Priority | Action |
|---|---|
| Critical | Deploy EDR with ransomware-specific detection |
| High | Implement network monitoring for lateral movement |
| High | Maintain offline backups tested monthly |
| Medium | Segment clinical from administrative systems |
| Ongoing | Train staff on phishing identification |
Context
The AZ Monica attack illustrates healthcare’s vulnerability to ransomware. The sector combines high-value data, operational pressure to pay ransoms, and often inadequate security investment.
Belgium’s €10 million pledge and proposed 24-hour reporting requirement indicate government recognition that healthcare cybersecurity requires systemic investment, not just individual hospital efforts.
For healthcare organizations elsewhere: the threat is real, the attacks are increasing, and winter timing (when bed capacity is already strained) maximizes attacker leverage. The 8,000+ cancelled appointments and 150 transferred chemotherapy patients demonstrate the human cost of healthcare cyber incidents.
Incident significance
The attack’s severity warranted its own Wikipedia entry (“2026 Belgian hospital cyberattack”), indicating the incident’s significance in the broader context of healthcare cybersecurity.
Key lessons
| Lesson | Application |
|---|---|
| Rapid containment | 2-minute response limited spread |
| Peer relationships | Pre-established transfer agreements enabled patient care |
| Paper fallbacks | Manual processes maintained critical functions |
| Government engagement | High-level attention accelerated support |
| Financial flexibility | 90% wage interim payment maintained staff morale |
The incident demonstrates both the vulnerability of healthcare IT and the importance of prepared response procedures.