Cost of HSE cyberattack rises to €80m, letter shows

Aontú's Peadar Tóibín calls on Coalition to ‘quantify the impact of cyberattack on people’s health and lives’

The cost of the cyberattack on the Health Service Executive has risen to €80 million, according to new information.

In a letter to Aontú leader Peadar Tóibín last Friday, HSE chief information officer Fran Thompson said that the costs came to more than €42 million in 2021 and to nearly €39 million until October of this year.

It has been forecast that the total cost of the cyberattack, blamed on criminal gangs in Russia, could reach €100 million.

Mr Tóibín has described the costs as “enormous” and called on the Government to outline the full impact of the cyberattack in terms of appointments and delayed treatments.


“These costs are enormous – we could have paid a lot of nurses or built a lot of health infrastructure with this €80 million, had the Government not left us so exposed to a cyberattack.

“We must remember at the time of the cyberattack the National Cyber Security Centre had a mere 25 staff, no dedicated premises, no director, and a budget which was a third of the size of the Taoiseach’s Department’s PR budget from the previous year. As well as an economic cost, we also have another cost in terms of health outcomes – how many people suffered delayed treatment or appointments as a result of the cyberattack? Aontú is calling on the Government to quantify the impact the cyberattack had on people’s health and lives.”

A report on the incident published last December found that the opening of a malicious Microsoft Excel file attached to a phishing email led to the cyberattack that crippled the health service for weeks. The file was opened at a HSE workstation in March 2021, two months before ransomware “detonated”.

The increasing costs come as the health service begins the process of contacting approximately 100,000 people who had their personal data stolen during the cyberattack.

The Cabinet was told last month that to date there is “no evidence” of publication of HSE or Tusla data online, although the health service continues to monitor the dark and public web.

Minister for Health Stephen Donnelly and Minister for Children Roderic O’Gorman told Ministers that it is “probable” that following the data notification process, some legal claims could be lodged.

The two departments are engaging with the Attorney General to ensure claims are dealt with in a manner that has “due regard to the rights of the data subjects and relevant cases being considered by the Court of Justice of the European Union, and takes account of the likely costs to the exchequer”, according to a note circulated after the Cabinet meeting.

A communications strategy is also being finalised.

When the hack was discovered, the HSE shut down huge swathes of its systems to control the incursion, and obtained a High Court order in the following days preventing any sharing, processing, selling or publishing of the data, which remains in place. The order restrained any sharing, processing, selling, or publishing of data illegally accessed and copied from its computer systems.

Jennifer Bray

Jennifer Bray

Jennifer Bray is a Political Correspondent with The Irish Times