‘No evidence’ data stolen in cyberattack used for criminal purposes, HSE says

·2-min read
The ransomware attack on the HSE occurred in May (PA) (PA Media)
The ransomware attack on the HSE occurred in May (PA) (PA Media)

There is “no evidence” that data stolen in a cyberattack on the HSE this year was published online or used for criminal purposes, the health board said.

The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service, leading to mass cancellations of appointments and surgeries.

The HSE has been given a copy of the stolen data from gardai, which they received from the Department of Justice in the United States.

A spokesperson said: “The HSE has been monitoring the internet including the dark web since the cyberattack and has seen no evidence at this point that this stolen data has been published online or used for any criminal purposes.

We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted

HSE spokesperson

“The HSE carried out an initial technical examination of the material over the weekend and has confirmed that it is data removed from HSE systems.”

The HSE said it has updated the office of the Data Protection Commission (DPC) on the development, and will continue to engage with them under its GDPR obligations.

“The HSE is reviewing this material to identify any individuals whose personal data was stolen and will notify the relevant data controller as required and affected individuals as required following engagement with the DPC,” the spokesperson said.

“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted.

“We expect that this material will include a mix of personal data, medical information, HSE corporate information, commercial data and general non-personal administrative data.

“Personal data means information about individuals, such as names, addresses, contact phone numbers and email addresses.

Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC

HSE spokesperson

“Medical information would include medical records, notes and treatment histories.

“Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC. You do not need to do anything or contact the HSE.”

Work on investigating the cyberattack continues with the HSE, technical experts and An Garda Siochana.

The HSE said while it has seen “no evidence of inappropriate use of stolen or copied data”, it will continue to monitor the dark web and social media outlets.

Since May 20 2021, the HSE has had a High Court order in place to stop all stolen data including personal and medical information that may have been stolen in the cyberattack from being published online.

“The HSE will enforce this order and take appropriate action where necessary to protect this information,” the spokesperson said.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting