HSE hack: Clinical, diagnostic and payroll data ‘all potentially compromised’

Affidavit seeking orders barring use of stolen data says full recovery of IT system is likely to take weeks

Paul Reid, chief executive of the HSE. Photograph: Dara Mac Dónaill

Paul Reid, chief executive of the HSE. Photograph: Dara Mac Dónaill


All of the HSE’s data “is potentially compromised” following a massive cyberattack, its chief executive, Paul Reid, has told the High Court.

In an affidavit, Mr Reid said full recovery of the HSE’s IT systems would be likely to take several weeks and the overall impact of the disruption on the HSE and patient care here “cannot be overstated”.

He said it was understood the attack was conducted by the Conti international cybercrime gang and it was “highly likely” data had been stolen. An investigation is continuing to determine the extent of the theft.

This was of “grave concern” to the HSE, given the potential and imminent risk of publication of confidential medical and personal data relating to individuals contained on the HSE database, he said. That database contained data that could be categorised under three headings: clinical, laboratories, diagnostics, oncology; patient administration such as medical cards and administration systems; and corporate (payroll, HR, finance).

“All of this data is potentially compromised.”

His affidavit was provided to the court after the HSE applied for orders, granted by Mr Justice Kevin Cross, restraining persons unknown, and any persons with knowledge of the orders, from sharing, selling, publishing, processing or otherwise dealing with the data without consent of the HSE.

Mr Reid said, on learning of the attack on May 14th, the HSE decided to shut down the IT systems across the health service to protect it from the attack and give it time to assess the situation.

There are some 2,000 information and communications technology (ICT) systems, each supported by infrastructure, multiple servers and devices. A rigorous process of assessment and recovery of those is under way, and some 80,000 devices need to be checked, requiring significant resources.

Investigation continues

The investigation into the hacking is ongoing with involvement from the Garda, the national Cyber Security Centre and various international agencies, he said.

The attack and consequential shutdown of the HSE’s IT systems has had a significant impact on hospital appointments and systems, and there continues to be major disruption across the country, he said. There is particular impact on radiology, radiotherapy and laboratory systems, and essential services such as blood tests and diagnostic services are taking much longer to turn around than usual. Cervical screening appointments were postponed this week.

The immediate focus is to get priority systems back online as quickly as possible, including maternity and infant care, radiology and diagnostics, chemotherapy, radiotherapy and lab services, but full recovery is expected to take weeks to achieve, he said.

He was concerned any publication of data unlawfully exfiltrated from the HSE’s IT systems would be inimical to the HSE’s statutory object of promoting the health and welfare of the public. He was extremely concerned to read media reports of the alleged release/sharing of confidential medical data online and believed, if that was done, it was likely to have been done by the perpetrators of the attack.

Fran Thompson, interim chief information officer of the HSE, said a call was logged at about 2.50am with his office on April 14th to report the patient management systems and printers were unavailable at St Luke’s Hospital. At 3am, Our Lady’s Hospital advised that their systems were also down. On investigation, a ransomware note was discovered on a personal computer at the latter hospital. At 3.22am, multiple sites were reporting multiple issues across multiple systems.

At 4.41am, a critical incident was declared and the critical incident process was commenced. It was decided to implement a “containment” phase and all systems were shut down. Initial reports indicated a human-operated Conti ransomware attack had severely disabled a number of systems.

Data made unusable

While investigations are continuing, it is certain the system was compromised through the encryption of data, thus rendering the data unusable, he said. The size and scale of the extraction of the data is likely to be ascertained more definitively as part of the ongoing investigation.

Mr Thompson said he was aware of a number of other ransom requests reported upon in the media but could not yet say whether those other request were from the perpetrators of the HSE attack, as copycat ransom notes from other sources are not unusual.

As well as threats to publish the HSE data, he said he was also aware of reports of samples of files being offered by the Conti team for the purpose of seeking to demonstrate they were holding HSE data. He believed it was “more likely than not” those samples derived from the hacking of the HSE system.

As the HSE would not be making any payment to those responsible, he believed there was a “very real and serious” risk the attackers would publish data and information obtained by them for their own unlawful purposes. The primary reason the court orders were sought was to enable the HSE to put information service providers such as Google and Twitter on notice of the prohibition of the dissemination of such information, leading to swifter and more comprehensive removal of any such information if efforts were made to publish it through those channels.