HSE hack: How bad could things get for the public if data is published?

Even basic data on patient or corporate documents can be used by criminals

What can criminals do with the Health Service Executive data now in the hands of a cyber gang?

The short answer is: an awful lot. The cyber gang that broke into the HSE’s systems effectively took copies of everything it encrypted. Even though the gang has supplied a decryption tool, it is still threatening to publish the documents it stole online or to sell them to other crime gangs if a ransom is not paid.

The data covers personal patient information, internal information about the HSE and its suppliers. The list goes on. Everything about patient data is private, including treatment histories. The release of any such data would be very distressing for many.

But what use is it to criminals to know anyone’s medical history?

A lot of information about patients will be of little interest to anyone. But in some cases it could be used to extort those people out of money. In Finland, for example, a cyber attack on a psychotherapy company, with 40,000 patients, saw the theft of patient files. Late last year many of them told police that they had received emails demanding the payment of €200 in bitcoin.

Notes from their sessions with therapists would be published online if the money was not paid. The case became a national scandal in Finland last October, but the theft happened two years prior to that, it is believed.


So anyone with sensitive health histories is most vulnerable if the HSE files are shared or sold?

They will perhaps be the ones most worried, but even very basic data on patient or corporate documents could be used by criminals. For example, lots of documents will contain a patient’s name, address, date of birth, phone number and, in some cases, email address. That can all be very valuable to criminals who can use phone calls, text messages and emails to contact would-be victims and trick them into paying money or providing their bank account details.

Some fraudsters can be very convincing and if they contact a would-be victim with knowledge about the victim’s life then that can make them seem genuine. These fraud attempts will catch many people unawares, especially in months or even years from now when the HSE attack has fallen out of the headlines.

You mentioned corporate documents, what’s that about?

In the past couple of years the Garda has been dealing with a surge in frauds where victims receive text messages and phone calls, but they have also been dealing with a lot of invoice-redirect frauds. They involve fraudsters finding out two companies are trading with each other and then assuming the identity of one of the companies to defraud the other company with a bogus invoice.

These frauds have been very successful, with fake invoices of more than €1 million being paid out. The companies believe they are paying one of their suppliers for goods or services supplied, but they are really paying criminals. If the HSE hack includes invoices or other documents from companies that supply the HSE with goods are services, all of that information can be used in invoice-redirect frauds.

It all sounds very grim, so how do we stop this information coming out?

To be blunt, we cannot stop it. The HSE has been granted an injunction banning the publication of any of the stolen data and documents. But that will not stop the cyber gang publishing the files on the darknet, from which they cannot be traced. And it also will stop the gang selling the information to other crime gangs who will use it for frauds.

The injunction will stop the media from publishing any of the material and, perhaps more worryingly, it should give people pause for thought, and ultimately stop them, if they are about to share any of the stolen information on social media. But there is nothing we can do to stop the data being published on the darknet or being sold.