What might happen to my confidential medical records from Monday?
The short answer is: a lot. The cyber gang which broke into the Health Service Executive’s computer systems effectively took copies of everything it encrypted. Even though the gang has supplied a decryption tool, it is still threatening to publish the documents it stole online or to sell them to other crime gangs if a ransom is not paid. The Government has said it refuses to pay a ransom.
The data includes personal patient information, including treatment histories; internal information about the HSE and its suppliers; staff records; the list goes on.
What did the hackers threaten?
The Conti ransomware group initially told the Government it wanted $20 million (€16.37m) after it gained access and copied an unknown amount of HSE data.
On its darknet website, Conti told the HSE “we are providing the decryption tool for your network for free”. But, it warned, “you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation.”
It said it would begin selling or publishing data on Monday.
But what use is it to criminals to know anyone’s medical history?
A great deal of the information about patients will be of little interest to anyone. However, some records could be used in attempts to extort people out of money. In Finland, for example, patient files were stolen in a cyber attack on a psychotherapy company which had 40,000 patients. Late last year many of them told police that they had received emails demanding the payment of €200 in bitcoin.
The patients were told that notes from sessions with their therapists would be published online if the ransom was not paid.
The case became a national scandal in Finland last October, but the theft happened two years prior to that, it is believed.
So it is not just about my medical history?
Those with sensitive health histories will perhaps be the ones most worried, but even very basic data on patient or corporate documents could be used by criminals. For example, lots of documents will contain a patient’s name, address, date of birth, phone number and, in some cases, email address.
That can all be very valuable to criminals who can use phone calls, text messages and emails to contact would-be victims and trick them into paying money or providing their bank account details.
Some fraudsters can be very convincing and if they contact a would-be victim with knowledge about the victim’s life then that can make them seem genuine. These fraud attempts will catch many people off guard, especially in months or even years from now, when the HSE attack has fallen out of the headlines.
Companies who provide goods or services to the HSE could also be targeted in frauds involving fake invoices.
What should I do then if I am contacted?
The Garda has advised that anyone approached on the basis of a blackmail attempt, or anyone who suspects they are victims of cyber-related crime, should contact their local Garda station immediately.
The Garda National Cyber Crime Bureau is continuing its investigation and is being assisted by local and international partners. Its advice remains that if anyone is contacted "by persons stating that they have your personal details and/or looking for bank account details you should not engage or provide any personal information".
The Garda said anyone reporting breaches of personal data will be handled “in a sensitive manner” while the breach will be examined by specialist investigators.
Gardaí are also worried that scammers with no connection to the cyber attack on the HSE systems will attempt to take advantage of confusion.
There are concerns that criminals claiming to be from the HSE will ask for “deposits” for medical procedures or could threaten to divulge sensitive patient data unless they receive a payment, regardless of whether they possess such data.
A senior Garda source warned that scammers may be ringing from phone numbers which appear to be genuine, including an official Garda number. “What we would say is, don’t give your personal details. The HSE or the guards won’t ever ask for your bank details or your PIN numbers or your passcode.
“If someone says, ‘We can get you in for a hip operation next week but we need your credit card details’, that’s a scam.”
The gardaí also advise against opening any email attachments, or following links, unless you trust the source.
The HSE has said people should “remain alert”, and advises that if anyone receives a suspicious call, text or other contact seeking personal or banking details to contact the Garda confidential line on 1800 666111.
When will I know if my data is affected?
That is the great unknown. In the Finland case, for example, it took a long time for the extent of the theft to become public as those behind it slowly started to extort those whose information they had stolen.
It is one of the many unfortunate aspects of the HSE breach that vulnerable patients could be waiting years for closure on this – if the stolen data is published or sold.
So what can I do to stop my data being circulated?
Not much. The HSE has been granted a High Court injunction banning the publication of any of the stolen data and documents. But that will not stop the cyber gang publishing the files on the darknet, from which they cannot be traced. And it also will not stop the gang selling the information to other crime gangs who will use it for fraud.
What is the HSE doing?
The HSE is focused on doing "everything we possibly can" to "constrain" the impact of the data breach, the CEO Paul Reid said. In addition, Mr Reid said the HSE is working with social media platforms to ensure no material is published. If data is published, the HSE will contact the Data Protection Commissioner, he added.