On April 30, 2026, Groupe 3R — the Réseau Radiologique Romand, a network of 20 medical imaging centres operating across seven Swiss cantons — was struck by a ransomware attack that disrupted its IT systems and forced rescheduling of patient appointments. On May 8, the Akira ransomware group publicly claimed responsibility. This was not Groupe 3R's first encounter: a similar attack had occurred in April 2025, twelve months earlier. The organisation reported the incident to the Federal Office for Cybersecurity (OFCS/BACS), filed a criminal complaint, and refused to pay the ransom. The pattern raises a question that goes beyond this one organisation: why does Swiss healthcare IT remain persistently vulnerable to the same threat actors, using the same attack model, in consecutive years?
Timeline and Operational Impact
The attack began on April 30, 2026. Groupe 3R detected disruptions to its IT systems and immediately activated incident response procedures, taking affected systems offline to contain lateral spread. All 20 imaging centres across the cantons of Vaud, Valais, Fribourg, Neuchâtel, Geneva, Jura, and Bern remained open, but operational capacity was reduced. Examinations requiring access to digital imaging systems or network-connected PACS infrastructure had to be rescheduled. The clinical continuity protocols that allowed centres to remain open were implemented following the April 2025 attack — the organisation had prepared for a recurrence, even if it could not prevent one.
On May 6, ICTjournal and RTS reported the incident publicly. On May 8, Akira listed Réseau Radiologique Romand on its leak site, confirming data exfiltration and threatening public release unless negotiations were initiated. Groupe 3R confirmed the claim and maintained its position of non-payment, consistent with its response to the 2025 incident. OFCS was notified in compliance with the mandatory reporting obligation that has applied to critical infrastructure operators since April 1, 2025. A criminal complaint was filed with the cantonal police.
Akira's Targeting Profile and Operational Pattern
Akira is a ransomware-as-a-service operation that emerged in 2023 and has become one of the most prolific groups targeting European healthcare. Its technical profile is well-documented across CISA, Europol, and commercial threat intelligence reports. Initial access is typically achieved through exploited VPN credentials — particularly Cisco ASA/FTL appliances without MFA — brute-forced RDP, or compromised remote access infrastructure. Akira operators conduct extended dwell times averaging 14 to 21 days between initial access and ransomware deployment, during which they conduct reconnaissance, harvest credentials, and exfiltrate data before triggering encryption.
The group's double extortion model has proven commercially effective: even organisations with functioning backups face pressure from the threat of data publication. For a medical imaging network, the exfiltrated data — radiology reports, patient demographics, referring physician information, and potentially clinical histories — is sensitive under both nDSG and applicable cantonal health data protection frameworks. The threat of publication carries regulatory consequences beyond reputational damage.
That Akira returned to the same target twelve months later is consistent with a documented re-attack pattern. Healthcare organisations that fail to remediate the initial access vector after an incident are re-attacked by the same group or by actors who purchase access from the original intrusion broker on underground markets. The specific initial access vector for the April 2025 attack was not publicly disclosed. If it was not fully remediated, the April 2026 attack was predictable.
Why Swiss Healthcare IT Remains Structurally Exposed
The persistent vulnerability of Swiss medical networks to ransomware reflects structural conditions, not isolated security failures. Clinical IT environments face several converging constraints that create an attack surface easier to target than financial or government infrastructure.
Legacy imaging infrastructure is a primary factor. PACS servers and DICOM modalities — the devices that generate and store radiology images — often run end-of-life operating systems, cannot be patched without vendor certification, and are connected to the same network segments as administrative IT. In many smaller cantonal facilities and regional networks, segmentation between clinical operational technology and administrative IT is inadequate or absent. A successful intrusion into the administrative network provides lateral movement paths directly to clinical systems.
Remote access infrastructure is the second major factor. The expansion of remote radiology — where radiologists interpret images from off-site locations — requires network-accessible PACS infrastructure. This access pathway, unprotected by MFA and zero-trust principles, is the primary initial access vector for Akira and comparable groups. Any Cisco ASA, Fortinet, or Pulse Secure VPN appliance serving a Swiss healthcare network without enforced MFA and current firmware is a viable initial access target.
Budget constraints are structural rather than organisational. Swiss healthcare facilities operate under DRG reimbursement frameworks that constrain discretionary IT spending. Security investment competes directly with clinical infrastructure, and the consequence of inadequate security materialises infrequently — until it materialises catastrophically and operationally.
◆ Key Takeaway
Akira returned to Groupe 3R twelve months after the first attack. The return is not coincidental — it reflects a failure to close the original initial access vector. Every Swiss healthcare network that experienced a ransomware incident in 2024 or 2025 without conducting a root-cause analysis focused on initial access, and without implementing MFA on all remote access infrastructure, should treat itself as a likely re-attack target.
What 3R Did Right — and What the Sector Must Adopt
Groupe 3R's incident response demonstrates several elements of mature handling under the ISA framework. Immediate system isolation limited lateral spread. OFCS notification fulfilled the mandatory reporting obligation introduced in April 2025. Criminal complaint filing creates a legal record and supports cantonal and federal law enforcement investigations. Non-payment of ransom, while operationally difficult, removes the financial incentive that sustains double-extortion operations and is consistent with national guidance from OFCS and ENISA.
The clinical continuity protocols that allowed all 20 centres to remain open — implemented after the 2025 attack — represent exactly the kind of operational resilience improvement that post-incident reviews should generate. The gap is in the preventative controls: the fact that a second attack succeeded at all indicates the initial access vector was not fully closed.
For the Swiss healthcare sector broadly, the 3R incident should be treated as a sector-wide signal rather than an isolated case. Twenty imaging centres across seven cantons constitute critical clinical infrastructure. The second successful attack in twelve months on the same network makes the structural vulnerability of Swiss medical IT impossible to attribute to bad luck.
- Audit all remote access infrastructure — VPN appliances, RDP endpoints, Citrix gateways — and enforce MFA on every externally accessible entry point; this is Akira's primary initial access vector.
- Segment clinical operational technology (PACS servers, DICOM modalities) from administrative IT using network zones with explicit allow-list rules; no administrative credential should be valid on the clinical segment.
- Conduct a root-cause analysis of any previous ransomware incident specifically focused on the initial access vector — not the ransomware payload — and document remediation of that vector before closing the incident.
- Implement offline, air-gapped backups for clinical imaging data; the ability to restore PACS infrastructure independently of network connectivity is the primary operational defence against ransomware-driven service disruption.
- Verify that mandatory ISA reporting procedures are operationally rehearsed — the 24-hour notification window to OFCS requires a prepared process, not an improvised one discovered mid-incident.
- Engage a threat intelligence service tracking Akira and healthcare-targeting ransomware groups; early warning of campaign activity targeting Swiss healthcare can provide time to harden exposed infrastructure.
- Review clinical equipment vendor contracts for patch certification timelines and legacy system roadmaps — PACS vendors with multi-year patch certification processes create structural patch debt that security controls must compensate for.
The 3R incident is a specific instance of a general problem Swiss healthcare IT has not yet resolved. The ISA mandatory reporting obligation ensures incidents are documented. It does not prevent them. The investment required to enforce MFA on remote access, segment clinical networks, and maintain offline backups is not large relative to the operational cost of a ransomware event. What it requires is a governance decision to treat cybersecurity as critical infrastructure investment. Until that decision is made consistently across Swiss healthcare institutions, groups like Akira will continue to return — and the operational consequences will continue to fall on patients.