HSE secures injunctions restraining sharing of hacked data

The HSE has secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data stolen from its computer systems in a massive cyberattack.

The orders are against “persons unknown” responsible for accessing the HSE’s IT system and planting a ransomware note on it as discovered by the HSE on May 14th. They also apply to any persons with knowledge of them.

HSE chief executive Paul Reid told the court in an affidavit he feared all of the HSE’s data “is potentially compromised”.

Mr Justice Kevin Cross said on Thursday he was satisfied to make the orders sought over hacking undertaken for a “particularly heinous form of blackmail”.

The main purpose of the orders, the court heard, is to put legitimate information service providers such as Google and Twitter on notice of a legal prohibition on the sharing and publication of the HSE information.

The orders prevent the intended defendants selling, processing, publishing, sharing or making available to any member of the public, the stolen HSE data, which includes private medical data of HSE patients. They also restrain possession, transfer or disclosure of the information obtained from the HSE’s system without the HSE’s consent and require the “persons unknown” to identify themselves by providing names, postal addresses and email addresses.

The orders were sought in intended proceedings by the HSE which include claims for damages for breach of confidential information, fraud and deceit, conspiracy and conversion of the data which is believed to have been accessed by hackers based in Russia.

In an affidavit, Mr Reid said he was advised it is “highly likely” data has been stolen and an investigation is ongoing to determine the extent of the stolen data.

“This is a matter of grave concern for the HSE given the potential and imminent risk of publication of confidential medical and personal data relating to individuals contained on the HSE database system.”

He was “extremely concerned” to read media reporting of the alleged release/sharing of confidential medical data online, Mr Reid said. There are now serious concerns the perpetrators of the cyberattack will use the worldwide web to begin “drip-feeding” stolen confidential and highly sensitive medical data to third parties on an ongoing basis unless restrained by court order, he said.

In another affidavit, Fran Thompson, interim chief information officer of the HSE, said the investigation into the hacking is ongoing but it has been established the hackers had access to the HSE system for at least one to two weeks before the cyberattack was triggered on May 14th.

He said one of the ransomware notes stated: “YOU SHOULD BE AWARE! Just in case, if you ignore us. We’ve downloaded your data and are ready to publish.” He was also aware of reports of samples of files being offered by the “Contilocker Team” for the purpose of seeking to demonstrate they hold HSE data.

‘Irish Times’ application

On foot of that evidence, Jonathan Newman SC, with Michael Binchy BL, applied for the orders. Mr Newman initially sought to have the application heard in camera but The Irish Times court reporter secured an adjournment to instruct lawyers concerning that application.

Having heard from Mr Newman and Joe O’Malley, of Hayes Solicitors LLP, for The Irish Times, the judge, who described the matter as important, declined to allow it proceed in camera but made orders prohibiting any reporting of the matter before 6.30pm on Thursday.

He agreed with Mr O’Malley justice should be administered in public unless there are exceptional circumstances for ordering otherwise. He also took into account, in seeking the in-camera hearing, the HSE’s concern was to ensure the intended defendants had no notice of the matter before the court had considered it and to avoid any pre-emptive publication of the data.

In his ruling on the substantive application, the judge said, while the HSE’s application was legally unusual as the courts here generally do not make orders against persons unknown, he was satisfied there is no legal impediment to how the proceedings were constituted. He was also satisfied the orders are necessary and the relevant criteria for them had been met.

It is clear, “as the world knows”, there has been a substantial hacking of the HSE undertaken by anonymous sources for the purposes of blackmail, “always the remedy of a coward”, he said.

This was a “particularly heinous” form of blackmail where those responsible were seeking to put pressure on the HSE and the authorities to give in to the blackmailers demands, including by hoping patients with sensitive medical data stored on the HSE system will add to those pressures.

Blackmailers

The consequences of the blackmailers’ actions are “particularly cruel” at this time of a worldwide pandemic which is putting strain on the ability of the HSE and other agencies to treat patients, including some suffering from serious and life-threatening conditions.

In this situation, it would be “inconceivable” and “a cause of scandal” if the law was impotent or tied by excessive rules from attempting to stop this “outrage”, he said.

While the identities of the perpetrators are unknown, it is known they are responsible for hacking and accessing of HSE data and planting the ransomware note, which stated they could be contacted via an electronic link provided.

The practical effect of the injunctions may be that the authorities in the country concerned will hopefully co-operate with the order and use their full resources to track down the perpetrators. It was also expected other non-criminal actors will abide by the orders with the effect the mischief intended by the hackers will be minimised, he added.

The intended defendants now have 42 days to enter an appearance to the proceedings, after which the matter will return before the court.