‘No evidence’ data stolen in cyberattack used for criminal purposes, HSE says

The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service.

James Ward
Monday 20 December 2021 17:31
The ransomware attack on the HSE occurred in May (PA)
The ransomware attack on the HSE occurred in May (PA)

There is “no evidence” that data stolen in a cyberattack on the HSE this year was published online or used for criminal purposes, the health board said.

The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service, leading to mass cancellations of appointments and surgeries.

The HSE has been given a copy of the stolen data from gardai, which they received from the Department of Justice in the United States.

A spokesperson said: “The HSE has been monitoring the internet including the dark web since the cyberattack and has seen no evidence at this point that this stolen data has been published online or used for any criminal purposes.

We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted

HSE spokesperson

“The HSE carried out an initial technical examination of the material over the weekend and has confirmed that it is data removed from HSE systems.”

The HSE said it has updated the office of the Data Protection Commission (DPC) on the development, and will continue to engage with them under its GDPR obligations.

“The HSE is reviewing this material to identify any individuals whose personal data was stolen and will notify the relevant data controller as required and affected individuals as required following engagement with the DPC,” the spokesperson said.

“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted.

“We expect that this material will include a mix of personal data, medical information, HSE corporate information, commercial data and general non-personal administrative data.

“Personal data means information about individuals, such as names, addresses, contact phone numbers and email addresses.

Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC

HSE spokesperson

“Medical information would include medical records, notes and treatment histories.

“Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC. You do not need to do anything or contact the HSE.”

Work on investigating the cyberattack continues with the HSE, technical experts and An Garda Siochana.

The HSE said while it has seen “no evidence of inappropriate use of stolen or copied data”, it will continue to monitor the dark web and social media outlets.

Since May 20 2021, the HSE has had a High Court order in place to stop all stolen data including personal and medical information that may have been stolen in the cyberattack from being published online.

“The HSE will enforce this order and take appropriate action where necessary to protect this information,” the spokesperson said.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in