What nobody tells you when a hospital gets attacked.
A French hospital takes two years to recover from a ransomware attack. 1,000 workstations, 200 applications, patient records lost forever. I lived through a ransomware attack in 2018. What makes me angry is not the attack.

I lived through a ransomware attack. In 2018. Not in a hospital, in a small organisation. We had backups, and that is what saved us. Two months to recover. Two months in which every morning started with the same question: what works today? Two months rebuilding, checking, doubting every restored file, wondering whether something had been forgotten in some corner of the system. And we were small. A few dozen workstations. A handful of applications.
The Pontarlier hospital, in the Doubs, has been living through the same thing since October 2025. But on a scale beyond comparison. More than 1,000 workstations. Around 200 applications. An information system on which prescriptions, laboratory results, billing, patient monitoring and the phone switchboard all depend. Everything. Six months after the attack, the return to normal is not expected before early 2027.
When you read this kind of thing in the press, you remember the number. Two years. It is shocking, and it goes by fast. What you do not remember is everything that plays out between the incident and that distant date. And yet that is where the heart of it lies.
The daily reality no article describes
What people do not see is an entire hospital running on paper. Handwritten prescriptions. Test results circulating in physical form. Nurses noting by hand what software used to record in two clicks. Doctors who no longer have access to their patients' history. A phone switchboard gone silent for months.
What people do not see is the paralysed billing. The hospital delivers care it can no longer code, examinations it can no longer bill, procedures whose administrative trace exists nowhere. The Agence Régionale de Santé released 2 million euros in exceptional aid. It will not be enough. The operating loss will run into the millions. And some of the procedures carried out during those months will never be recovered. A blood test that does not appear in the digital record at the moment of the rebuild is a procedure that no longer exists administratively. It was done. The patient was treated. But the system will never know it.
What people also do not see is the weight on the teams. I remember, in 2018, the exhaustion that sets in from the second week. Not the exhaustion of one sleepless night. The exhaustion of a continuous effort, with no clear horizon, with no certainty that what you rebuild today will not cause a problem tomorrow. In a small organisation, it was already heavy. In a hospital where caregivers have to take care of patients and at the same time compensate manually for every function that IT used to handle, it is crushing. And it has lasted six months.
The problem is not the attack. It is what does not happen afterward.
The director of the Pontarlier hospital is calling for a nationalised protocol to handle these situations. He says his hospital is not the only one going through this. He is right down the line. And that is exactly what makes me angry.
In 2022/2023, the Fédération Wallonie-Bruxelles commissioned a cybersecurity maturity audit of around a hundred Belgian municipal administrations and local authorities. I was the lead auditor on that assignment. I supervised all hundred audits. The findings were damning: an appalling level of maturity, exposed infrastructure, continuity plans that were non-existent or theoretical, teams without resources and without training.
Among the recommendations I handed in, there was one I considered structural: the creation, at the federal level, of a dedicated emergency response capability. Not a best-practices guide. Not yet another framework. An operational response force, able to intervene concretely on the most serious cases, to streamline the rebuilding effort, to pool the technical skills these organisations cannot afford to maintain in-house. The idea was simple: nationalise the remediation effort so that affected institutions can get back on their feet as quickly as possible, instead of leaving them alone in the face of a disaster they have neither the skills nor the budget to handle.
That was in 2023. We are in 2026. Nothing has happened. Neither this recommendation, nor any of the others, for that matter.
Every hospital for itself, and ransomware for all
What is playing out in Pontarlier is exactly the scenario we described three years ago. A public, medium-sized organisation, without the resources of a university hospital, left alone in the face of a two-year rebuild. With welcome but insufficient financial aid. With exhausted teams. With lost data. With 700,000 euros of equipment to buy back and an operating loss in the millions. And with no dedicated national structure to come and lay hands on the system and speed up the rebuild.
The hospital chose to rebuild with a level of security aligned with NIS2. That is brave and it is necessary. But NIS2 is a prevention framework. What Pontarlier needed the day after the attack was not a framework. It was a team. People able to land on site, assess the damage, prioritise the rebuild, bring a technical baseline back up in weeks rather than months. And to build on that experience so that the next hospital does not start from scratch.
That kind of capability exists in some countries. It exists in the private sector for organisations that can afford incident response contracts with specialised providers. It does not exist for a provincial hospital. It does not exist for a town of 15,000 people. It does not exist for the organisations that need it most.
What Pontarlier should set off
I hold nothing against the Pontarlier hospital. They make do with what they have, and the transparency they show is remarkable. What I hold against the system is the structural inertia that means, in 2026, a healthcare organisation hit by ransomware still finds itself alone in the face of two years of rebuilding.
We had made the diagnosis in 2023. We had formulated the recommendation. The answer was silence. And during that silence, the attacks continued, the organisations kept falling, and each one kept getting back on its feet alone, in its own corner, with its own means, reinventing the same solutions the previous one had invented six months earlier.
When I look back on our two months of rebuilding in 2018, with our small organisation and our backups that worked, I measure the gap. Two months was already a chasm. Two years, for a hospital, is another dimension entirely. And the difference between the two is not only a question of size. It is a question of solitude.
The next Pontarlier is already in the queue. The question is not whether it will fall. It is whether it will still be alone when it does.
Questions fréquentes
What happened at the Pontarlier hospital?
Since October 2025, the hospital has been hit by a ransomware attack affecting more than 1,000 workstations and around 200 applications. Six months after the attack, the return to normal is not expected before early 2027.
Why does the rebuild take so long?
An information system on which prescriptions, laboratory results, billing, patient monitoring and the phone switchboard depend has to be rebuilt and checked piece by piece. For a medium-sized organisation, without the resources of a university hospital or dedicated national support, the effort runs into years.
What are the invisible consequences of such an attack?
Running on paper, care delivered but impossible to code or bill, procedures that vanish administratively, and a crushing, lasting burden on caregivers who compensate manually for every IT function.
What solution does the author advocate?
The creation of a national emergency remediation capability: an operational team able to intervene on site, to prioritise and speed up the rebuild, and to build on that experience for the next organisations, rather than yet another framework.
Is NIS2 enough to answer the problem?
No. NIS2 is a prevention framework, brave and necessary for rebuilding with a better level of security, but it does not replace the operational response force an organisation needs the day after an attack.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
