Skip to main content

Recommended links

Warning notification:Warning

Unfortunately, you are using an outdated browser. Please, upgrade your browser to improve your experience with HSE. The list of supported browsers:

  1. Chrome
  2. Edge
  3. FireFox
  4. Opera
  5. Safari

Cyber-attack and HSE response

Our health service was targeted by a criminal cyber-attack in 2021.

The aim of this attack was to disrupt our health services and computer systems, access and copy information, and demand a ransom for its return.

We stopped the attack when we became aware of it. No ransom was paid. We have no evidence that any of the information has been used in scams or fraud.

We will write to you if you are affected

We are notifying 90,000 people.

If you have received a letter about the cyber-attack

If we do not write to you

If we do not write to you, you do not need to do anything.

There is no need to contact us.

It’s OK to be concerned about online scams and fraud. They are common.

We are doing all we can to make sure an attack like this does not happen again. We will act straight away if cyber security experts find any more evidence related to the attack.

What to do if you get a suspicious phone call, text or email

No evidence of scams or information online

We have no evidence that any of the illegally accessed information has been used in scams or fraud. This is after more than 2 years of investigation and careful online monitoring.

A small amount of HSE information appeared on the 'dark web' immediately after the cyber-attack. This information has since been taken down. The dark web is a part of the internet you can only get to using special computer programs.

After two years of investigation and careful online monitoring, we have no evidence that any other information has been published online.

Protect yourself from scams or attempted fraud

Why we had to wait to contact people

Gardaí worked with international law enforcement agencies to investigate the cyber-attack as soon as it happened. Their investigation is still on-going.

At the end of December 2021 they were able to give us as a copy of the illegally accessed and copied documents. They did this under a mutual legal assistance treaty. This is an agreement that allows different countries collect and exchange information in the investigation of a crime.

We have carefully reviewed all of this information to identify the people we need to write to under GDPR.

This has taken a number of months because there are tens of thousands of documents we have had to:

  • examine
  • review
  • cross-check

We started to notify people in November 2022. We did this in a staggered way, This is due to the numbers of people impacted.

For each person we are writing to, we need to:

  • review and collect information from different documents related to them
  • correctly identify them
  • verify that they are the correct person before writing to them

How the attack happened

The hackers used ransomware to encrypt our files and block access to them. Ransomware is a type of computer software known as malware. Malware is designed to disrupt a computer network and its security.

To get access to the HSE network, the hackers used a 'phishing' email. A phishing email is an email that looks like a real email from a trusted organisation. The emails usually try to convince a person to click a link, open a file or enter personal information.

This phishing email was sent to a user on the HSE network in March 2021. When an attachment in the email was opened, the malware was secretly downloaded. The hackers then triggered the ransomware attack in May 2021.

HSE response to the attack

The attack was stopped as soon as we became aware of it. No ransom was paid.

A High Court Order is in place to prevent anyone using any of the illegally accessed and copied information. Anyone who does this can be sent to prison.

High Court injunction restricting any sharing, processing, selling or publishing of stolen data (PDF, 4 pages, 460KB)

Monitoring the internet

Cyber security experts continue to monitor the internet and the dark web for the illegally accessed information. They are looking for any signs of it being published or used.

If they find any evidence that the information is published or used online, we will act straight away. We will work with digital publishers, search engines and social media networks to ensure it is removed as soon as possible and is not shared.

Working with agencies

When we became aware of the attack we immediately told:

The National Cyber Security Centre has advised us about how the illegally accessed information may be misused. We continue to help the Gardaí with their ongoing investigation.

Stronger cyber security

Cyber crime is common and is becoming more advanced. It is possible an attack like this could happen again. We are doing all we can to make sure it does not.

Since the incident we have:

  • made our IT and cyber security much stronger
  • trained our staff about cyber security
  • worked with international and national cyber security experts to protect against future attacks

For cyber security reasons, we do not go into detail on exactly what security measures we have put in place. But we have advanced measures in place and we are improving these regularly.

Page last reviewed: 26 May 2023

Back to Cyber-attack