Our health service was targeted by a criminal cyber-attack in 2021.
The aim of this attack was to disrupt our health services and computer systems, access and copy information, and demand a ransom for its return.
We stopped the attack when we became aware of it. No ransom was paid. We have no evidence that any of the information has been used in scams or fraud.
We will write to you if you are affected
We are notifying 90,000 people.
If we do not write to you
If we do not write to you, you do not need to do anything.
There is no need to contact us.
It’s OK to be concerned about online scams and fraud. They are common.
We are doing all we can to make sure an attack like this does not happen again. We will act straight away if cyber security experts find any more evidence related to the attack.
No evidence of scams or information online
We have no evidence that any of the illegally accessed information has been used in scams or fraud. This is after more than 2 years of investigation and careful online monitoring.
A small amount of HSE information appeared on the 'dark web' immediately after the cyber-attack. This information has since been taken down. The dark web is a part of the internet you can only get to using special computer programs.
After two years of investigation and careful online monitoring, we have no evidence that any other information has been published online.
Why we had to wait to contact people
Gardaí worked with international law enforcement agencies to investigate the cyber-attack as soon as it happened. Their investigation is still on-going.
At the end of December 2021 they were able to give us as a copy of the illegally accessed and copied documents. They did this under a mutual legal assistance treaty. This is an agreement that allows different countries collect and exchange information in the investigation of a crime.
We have carefully reviewed all of this information to identify the people we need to write to under GDPR.
This has taken a number of months because there are tens of thousands of documents we have had to:
We started to notify people in November 2022. We did this in a staggered way, This is due to the numbers of people impacted.
For each person we are writing to, we need to:
- review and collect information from different documents related to them
- correctly identify them
- verify that they are the correct person before writing to them
How the attack happened
The hackers used ransomware to encrypt our files and block access to them. Ransomware is a type of computer software known as malware. Malware is designed to disrupt a computer network and its security.
To get access to the HSE network, the hackers used a 'phishing' email. A phishing email is an email that looks like a real email from a trusted organisation. The emails usually try to convince a person to click a link, open a file or enter personal information.
This phishing email was sent to a user on the HSE network in March 2021. When an attachment in the email was opened, the malware was secretly downloaded. The hackers then triggered the ransomware attack in May 2021.
HSE response to the attack
The attack was stopped as soon as we became aware of it. No ransom was paid.
A High Court Order is in place to prevent anyone using any of the illegally accessed and copied information. Anyone who does this can be sent to prison.
Monitoring the internet
Cyber security experts continue to monitor the internet and the dark web for the illegally accessed information. They are looking for any signs of it being published or used.
If they find any evidence that the information is published or used online, we will act straight away. We will work with digital publishers, search engines and social media networks to ensure it is removed as soon as possible and is not shared.
Working with agencies
When we became aware of the attack we immediately told:
- the Data Protection Commission
- the National Cyber Security Centre
- the Gardaí
- the Irish Defence Forces
- the relevant Government departments
The National Cyber Security Centre has advised us about how the illegally accessed information may be misused. We continue to help the Gardaí with their ongoing investigation.
Stronger cyber security
Cyber crime is common and is becoming more advanced. It is possible an attack like this could happen again. We are doing all we can to make sure it does not.
Since the incident we have:
- made our IT and cyber security much stronger
- trained our staff about cyber security
- worked with international and national cyber security experts to protect against future attacks
For cyber security reasons, we do not go into detail on exactly what security measures we have put in place. But we have advanced measures in place and we are improving these regularly.