Garda specialists tracked stolen HSE data to commercial server in US

Cyber crime personnel had been tracking movement of data for months

The Health Service Executive data stolen in a cyber attack which crippled the country's health systems last May was located by gardaí on a commercially available web server in the United States.

The data was found following months of work by specialists from the Garda National Cybercrime Bureau. Its return to the HSE will allow the health service to determine exactly what data was stolen and which patients have been impacted.

It is understood some senior gardaí were frustrated with a HSE statement issued on Monday which was seen as suggesting the data was found by US law-enforcement agencies.

“This was the down to the hard work of gardaí, not the FBI or American justice department,” a security source said.


Garda digital forensics specialists had been monitoring the movement of the data across different servers located around the world before tracking it to the web server in the US.

Sources said the fact that it was being stored in the US is not particularly significant to the investigation. Such servers are cheap and commercially available to people around the world.

The suspects behind the attack are still believed to be members of the Conti ransomware gang, who are mostly based in Russia and Eastern Europe.

After locating the data, gardaí made a request to the US department of justice under a mutual legal assistance treaty (MLAT). This was approved by a US court and the data was officially handed over to the Garda via the Director of Public Prosecutions (DPP) before being passed on to the HSE.

Gardaí are continuing to investigate suspected members of the gang, including by using “chain analysis” to track global cryptocurrency payments.

The force previously seized and disabled ransom websites used by the gang as part of a “significant disruption operation”. The seizures prevented a large number of further ransomware attacks across the world, it said.

When gardaí located the HSE data, it was just “sitting there”, an informed source said, with no indication that it was going to be leaked or ransomed. Officers have been monitoring ransom websites on both the dark and surface web but have seen no signs of criminals trying to sell the data.

It is believed the criminals were reluctant to try sell such sensitive healthcare data for fear of a crackdown by law-enforcement officials in their native countries, who would otherwise turn a blind eye to their activities.

This is likely the reason the hackers provided a decryption key to the HSE after the attack, which helped officials fix the system, sources said.


However, security sources warned the criminals still possess copies of the data and may decide to release it at a future date.

The recovered information is thought to contain a mix of personal data including phone numbers and email addresses, and medical information such as records, notes and treatment histories.

The HSE said it was now reviewing the material to identify any individuals whose personal data had been stolen and would notify “affected individuals as required” following engagement with the Data Protection Commissioner.

“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received and don’t yet know the numbers of individuals impacted,” it said.

A HSE spokeswoman told The Irish Times on Tuesday the recovery of the data would help identify patients whose data was stolen but would not have a material impact on the rebuilding of the computer systems damaged in the attack.

This is because the vast majority of systems have now been restored. “Over 99 per cent of all production servers and 100 per cent of all devices have already been restored. Acute services are almost fully restored, along with community and corporate.”

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times