Three European ransomware crises exposed the limits of conventional backups. Here is why critical medical data needs storage an attacker cannot reach.
In November 2025, the UK government put in writing something security researchers had warned about for years. A written ministerial statement confirmed that the June 2024 ransomware attack on Synnovis, a London pathology provider, caused delays to more than 11,000 outpatient and elective procedure appointments and, in the government's own words, "tragically, contributed to the death of a patient." It was the clearest official acknowledgement yet that an attack on hospital IT is an attack on patient safety.
Synnovis was not an isolated failure. Over the past five years, ransomware has repeatedly taken hospital systems offline across Europe, and a consistent pattern has emerged in how the damage happens and how long it lasts.
Attackers favour hospitals for structural reasons, not luck. A hospital runs a sprawling attack surface: thousands of staff, high turnover, large fleets of connected medical devices, and a web of third-party suppliers, each one a potential way in. It is also an organisation that cannot tolerate downtime; when charts, imaging and laboratory systems go dark, care stops, and that is precisely the leverage an extortionist wants. For attackers chasing disruption or attention rather than money, few targets generate more pressure than a hospital forced to turn patients away.
The 2021 attack on Ireland's Health Service Executive, carried out by the Russia-linked Conti ransomware gang, remains one of the most sweeping assaults on a national health system on record. To contain the spread, the HSE shut down its entire nationwide network, and because Irish healthcare is highly centralised, hospitals across the country were crippled at once. Doctors reverted to pen and paper, with runners carrying laboratory results between departments, and radiology, oncology planning and COVID-19 testing software went offline. The independent post-incident review later put full recovery at months and the cost at 100 million euro or more.
The Synnovis case showed that the target does not even have to be the hospital. The Qilin ransomware group struck Synnovis, the provider handling blood tests and biopsies for several major NHS trusts, including King's College Hospital and Guy's and St Thomas'. With blood matching paralysed, hospitals postponed thousands of appointments and issued urgent public appeals for O-type blood donors, whose blood can be given safely when a patient's exact type cannot be confirmed. The disruption ran long: more than a year later, staff were still clearing backlogs by hand. It was this attack that the government would later link to a patient's death.
The starkest example came a year earlier. The DoppelPaymer ransomware, reportedly aimed at a nearby university, encrypted thirty servers at University Hospital Dusseldorf and brought down its main network. The hospital had to de-register from the regional emergency system, so it could no longer accept ambulances. A woman in a life-threatening condition was diverted to a hospital in Wuppertal, roughly 30 kilometres away, and died. German prosecutors opened a negligent-homicide inquiry into the attackers, the first of its kind, though it was eventually dropped when investigators could not prove the delay had caused her death. Even without that proof, the case remains a landmark in how directly cybercrime can reach human life.
In all three cases, there was no quick restore. Modern hospital networks are so tightly integrated that once ransomware takes hold, recovery is measured in weeks or months, not hours. Conventional backups fail here for one blunt reason: they are connected. If a backup can be reached over the network, it can be encrypted, corrupted or deleted by the same attacker who took down production, and modern ransomware crews hunt for backups first. A copy of your data that an intruder can reach is a copy an intruder can destroy.
A backup you can reach over the network is a backup an attacker can reach too.
SpaceBox is built on the opposite assumption: that everything else will eventually be breached. An on-premises SpaceBox vault keeps a hospital's most critical data, medical records above all, in storage that an intruder cannot quietly reach or rewrite. It has no internet connection, which removes the remote path ransomware depends on. Its storage is hardware-enforced and append-only, so files can be added but not deleted or altered, even by someone holding full administrative credentials. Retrieval requires approval from several people, so no single compromised or coerced account can pull data out, and a mandatory waiting period adds a final barrier against rushed or automated extraction.
The result is that even if a hospital loses its entire IT estate, as Dublin, London and Dusseldorf effectively did, the records in the vault stay intact and retrievable. Recovery starts from a known-good copy instead of a ransom negotiation. Ransomware gangs count on their victims having no clean fallback; the point of an offline, immutable vault is to make sure that assumption is wrong.