ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications

incident · incident:chipsoft-embargo-2026

Coverage timeline

first 2026-05-07 → last 2026-05-07

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

incidents

Co-occurring entities

see Related entities below

Story timeline

2026-05-07CTI Daily Brief — 2026-05-07
incidentsFirst coverage. Attack 2026-04-07; HiX platform serves ~75% Dutch hospitals; Embargo group identified; 100 GB patient data claimed exfiltrated; attacker claims destruction (implies ransom paid); 66 Dutch DPA notifications; vendor confirmed incident.

Where this entity is cited

incidents1

Source distribution

bsi.bund.de1 (14%)
cert.ssi.gouv.fr1 (14%)
security-hub.ncsc.admin.ch1 (14%)
surf.nl1 (14%)
dutchnews.nl1 (14%)
nltimes.nl1 (14%)
therecord.media1 (14%)

Related entities

Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
incidentincident:die-linke-qilin-2026×1
Instructure (Canvas LMS) data breach — student and educator data
incidentincident:instructure-canvas-2026×1

All cited sources (7)

Items in briefs about ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications (2)

UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances

From CTI Daily Brief — 2026-05-09 · published 2026-05-10 · view item permalink →

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed

From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.