#CyberWeekly

A ransomware attack on ChipSoft, the vendor behind 80% of Dutch hospital patient record systems, forced 11 hospitals to take their systems offline and disrupted patient portals across Belgium and the Netherlands. On April 15, ChipSoft confirmed that patient data was stolen — after initially telling clients their data was "probably" safe.

• Who was hit: Sint Jans Gasthuis (Weert), Laurentius Hospital (Roermond), VieCuri Hospital (Venlo), Flevo Hospital (Almere), Rotterdam Eye Hospital, and family doctors and rehab clinics using the cloud-hosted HiX 365 platform. In Belgium: Hospital aan de Stroom, Hospital Oost-Limburg, and Hospital Delta all lost access to patient portals
• What was stolen: ChipSoft confirmed patient data was exfiltrated. The Dutch Parliament has opened a probe. No ransomware group has claimed responsibility yet
• The supply chain lesson: one vendor breach took out hospital systems across two countries. Over 60% of Belgian citizens access medical records through digital portals that rely on third-party software like ChipSoft
• What Z-CERT recommends: audit ChipSoft-connected systems for unusual traffic, report anything suspicious through their incident line

This is supply chain risk at scale. If your MSP clients serve healthcare, the supplier security guide covers exactly how to assess third-party vendors — and your ransomware response plan should include scenarios where the breach is at your vendor, not your own systems.

This week we shipped Microsoft Graph integration: connect your Microsoft 365 account and your compliance intake forms auto-fill with real data from your tenant. Combined with a new AI document pipeline, your policies now draft themselves from your actual entity data — not generic templates.

• Graph auto-fill: connect M365 once and your organisation name, domain, user list, and device inventory flow directly into compliance intake fields. No more copy-pasting between admin portals and compliance documents
• Entity-group placeholders: policies and procedures now reference your actual entity groups — servers, workstations, mobile devices, user roles — with an autocomplete picker. When your inventory changes, documents stay current
• Composable document pipeline: AI drafts each policy section using your real entity data as context. The result reads like it was written for your organisation, because it was
• Policy clustering: the system detects when an existing policy already covers a topic and offers to extend it rather than creating duplicates. Less document sprawl, more coherent compliance

The goal is simple: compliance documents that reflect your actual infrastructure, not a fantasy version you filled in by hand. Start with the NIS2 checklist and let Graph + AI do the heavy lifting. MSPs can connect client tenants and generate intake data across their entire portfolio.

European gym giant Basic-Fit disclosed a data breach on April 13 affecting up to 1 million members across Belgium, the Netherlands, France, Germany, Luxembourg, and Spain. The stolen data includes bank account details, names, addresses, emails, phone numbers, and dates of birth.

• Scale: 1 million of Basic-Fit's 5 million European members were affected. In the Netherlands alone, 200,000 individuals were impacted. Belgian members were explicitly listed among those notified
• What was exposed: full names, home addresses, email addresses, phone numbers, dates of birth, bank account numbers, and membership details. Passwords and ID documents were not accessed
• How it was caught: system monitoring detected the unauthorised access and stopped it "within minutes." An external investigation confirmed some data had been downloaded before containment
• What to watch for: with bank details and personal information in hand, targeted phishing and direct debit fraud are the immediate risks. Basic-Fit warned members to watch for suspicious emails

A gym membership breach might sound low-stakes, but bank account numbers plus home addresses plus dates of birth is everything a fraudster needs for social engineering attacks. If your clients or employees are Basic-Fit members, flag this in your next phishing awareness session.

Tomorrow is April 18, 2026 — the binding deadline for Belgian essential entities to submit their CyFun self-assessment or ISO 27001 documentation to the CCB. This is not a procedural formality. The CCB has been clear: failure to submit may result in administrative measures, financial penalties, and further supervisory action.

• Three submission paths: (1) CyFun Basic or Important verification from an accredited CAB, (2) ISO 27001 certification scope and Statement of Applicability, or (3) self-assessment documentation with a formal inspection request
• What happens after: the CCB will begin ex-ante supervision — reviewing submissions and following up with entities that submitted incomplete documentation or missed the deadline entirely
• Penalties: up to 10 million euro or 2% of global turnover, plus personal director liability. The CCB can also impose additional supervisory measures on non-compliant entities
• If you are not ready: submitting an incomplete self-assessment with a credible remediation timeline is better than submitting nothing. The CCB has indicated that demonstrating active progress matters

If you are an MSP with clients still scrambling, our NIS2 deadlines overview breaks down what each entity type must submit. The compliance checklist maps directly to CyFun Basic controls — start there and work through it systematically.