Systems at Belgian hospital AZ Monica were largely restored roughly one month after a ransomware attack on 13 January 2026, according to reporting from Security.NL and VRT NWS. The hospital says core clinical systems — electronic patient records, imaging, e‑prescriptions and emergency systems — are again available; visitor Wi‑Fi remains offline while the incident is investigated.
What happened
On 13 January 2026 AZ Monica (campuses in Deurne and Antwerp) took down servers after a ransomware incident that disrupted normal operations. Non‑urgent procedures were cancelled and several patients requiring critical care were transferred to nearby hospitals while IT teams worked to contain the incident. For several weeks staff relied on paper records and manual processes while clinical teams prioritized patient safety and continuity of care.
AZ Monica has told media it did not pay a ransom and, as of current public statements, there are no confirmed reports of patient data exfiltration. The Antwerp public prosecutor has opened an investigation; technical details about the intrusion and attack vector have not been released.
Operational impact
The outage produced measurable operational effects: longer waiting times, cancelled surgeries and a temporary reduction in emergency capacity. Because electronic patient records were unavailable, clinicians asked patients to bring medication packaging and any personal medical records. The hospital temporarily used a patient-facing app to exchange limited clinical information when safe to do so.
Response and recovery
Hospital IT teams have restarted affected servers and restored most clinical applications, including e‑prescribing, imaging and the electronic patient dossier. AZ Monica has restricted visitor Wi‑Fi and tightened network access for staff as part of a staged recovery and hardening process.
The hospital states it did not pay a ransom and reports no confirmed data theft; those assertions remain subject to investigation by local prosecutors. Forensic preservation and log collection are ongoing as authorities and the hospital evaluate the attack vector and scope.
Context
Healthcare organisations are a frequent ransomware target; recovery often requires extensive manual reconciliation and validation. This incident reinforces sector lessons about the importance of tested backups, network segmentation and rapid forensic preservation. Editors should verify HLN’s findings before citing any exposed-record counts and rely on official statements or forensic reports for technical attribution.
New developments
Follow-up reporting documents the phased restoration of systems: Security.NL reported that electronic patient records were brought back online within weeks, while other systems were restored later as validation and data reconciliation continued. A separate HLN story suggests security researchers identified an additional data exposure affecting multiple hospitals; HLN’s article is behind a paywall and the specific figures reported require editorial verification before attribution.
We have added the original reporting links to our research notes for verification and encourage editors to confirm any numeric claims with primary sources or the publisher before publishing them as fact.
Analyst takeaway
AZ Monica’s recovery timeline is consistent with other large healthcare ransomware incidents: containment and safe restoration commonly take weeks while teams validate backups and re‑enter records recorded during manual operations. The public details remain limited; HLN’s paywalled report about a broader exposure requires confirmation before it can be treated as verified.
Recommendations for providers
- Contain and preserve: isolate affected systems, collect forensic logs and preserve images for investigators.
- Validate backups: confirm backups are complete and uncompromised before any restores; perform staged restores on isolated networks.
- Communicate clearly: coordinate disclosures with prosecutors, data protection authorities and affected patients while avoiding premature claims about data loss.
- Share indicators: where possible, share technical indicators with sector CERTs to inform peer defenses.
- Follow authoritative guidance: use CISA and NCSC recovery and ransomware playbooks to guide operational response and reporting.
For additional context on extended recoveries see our earlier coverage: Scottish Council Two Years into Ransomware Recovery.
