Data stolen in HSE cyberattack included staff financial details

HSE to write to 113,000 people informing them their personal data was compromised

The Health Service Executive (HSE) has said “partial financial details” of some employees and some patients’ treatment histories were among data stolen by hackers during the cyberattack of the health service last year.

Around 113,000 people had their personal data breached during the attack on the HSE, which had a huge impact on the health service during the Covid-19 pandemic in May 2021. The compromised data stolen by hackers related to about 94,800 patients and 18,200 staff members.

In about 850 cases “limited financial data” of employees was taken in the attack, which was mostly information gleaned from travel expense claims.

In a briefing on Tuesday, the HSE said it was starting the process of writing to all those affected by the massive data breach. Officials planned to inform people who had their data stolen during the hack in stages between now and next April.

READ MORE

Joe Ryan, HSE national director in charge of the notification programme, said the “vast majority” of compromised patient data related to lists and forms that contained patients’ names and contact details.

Medical information that had been taken included clinical lists, vaccination lists, some medical notes and correspondence with patients. A “small amount” of the data stolen included patient treatment histories, Mr Ryan said.

Where personal data of staff had been compromised, the HSE official said this mostly related to HR forms, roster changes, or information on promotions.

In about 850 cases “limited financial” information of staff had been identified in the data stolen, including “partial financial details” of staff provided in travel expenses claims.

“We engaged early with the banks to understand what level of threat and risk associated with the data that was compromised and our advice is that that is in the lower risk category,” Mr Ryan said.

The HSE said there had been no indication the data was sold or spread on the internet or the dark web. There was no evidence that the data “has been used in any nefarious or criminal way” since the hack, Mr Ryan said.

Letters being sent to those affected would have a unique pin number, to allow people to sign into a HSE data portal, where they could request a copy of their data that had been compromised by the hack.

Mr Ryan said nearly 100 staff would be working in a support centre to call people to help them through the process if required.

The HSE did not want to overload staff tasked with responding to requests, so had decided to inform the 113,000 people in stages.

“For members of the public who don’t get a letter, please don’t contact us. We want to preserve our capacity in the contact centre to support the people who have been affected by the attack,” Mr Ryan said.

Tusla, the child and family agency, and Children’s Health Ireland, who run the children’s hospitals, also had data stolen in the cyberattack. Those agencies would be notifying people affected at a later date, the HSE said.

The HSE official said if people whose data had been breached wanted to take a legal claim for compensation they could do that through the courts.

Fran Thompson, HSE chief information officer, said the health service had improved its cybersecurity in the wake of the hack. “We have improved our security processes, we’ve applied a whole range of additional controls,” he said.

When the hack was discovered, the HSE shut down huge swathes of its systems to control the incursion, and obtained a High Court order in the following days preventing any sharing, processing, selling or publishing of the data, which remains in place.

A PwC report commissioned by the HSE after the attack found that it was operating on a “frail IT estate with an architecture that has evolved rather than be designed for resilience and security” and that there was an over-reliance on legacy systems.

Jack Power

Jack Power

Jack Power is a reporter with The Irish Times