Hackers could publish HSE patient data online, says Minister

Much of information is administrative and not related to procedures and conditions

The Garda and National Cyber Security Centre is liaising with Europol on the nature of the ransomware recently used against the HSE. File photograph: iStock
The Garda and National Cyber Security Centre is liaising with Europol on the nature of the ransomware recently used against the HSE. File photograph: iStock

Hackers are expected to have accessed patient data as part of the HSE ransomware attack, and may now publish it online, a Government Minister has said.

While there is not yet definitive evidence of patient information being compromised, with the HSE on Sunday saying it was still too early to determine if it had happened, Minister of State for Communications Ossian Smyth told The Irish Times: “I expect it has [been accessed] and it wouldn’t surprise me if it was published at some point in the future.”

Mr Smyth stressed, however, the HSE did not centrally store significant amounts of clinical patient data, with much of the information held being administrative rather than related to procedures and conditions.

He said accessing such patient files would be “the first thing [hackers] would do before trying to encrypt data or delete backups”, and that usually such information was sold on and later released either by the hackers or other parties.

READ SOME MORE

Similar attacks, such as one on the Scottish Environment Protection Agency last year saw information published online after ransoms went unpaid, but Mr Smyth said he believed data was regularly posted whether such sums were paid or not.

The Garda and National Cyber Security Centre is liaising with Europol on the nature of the ransomware used. Mr Smyth said early indications were that a second attack, on the Department of Health, suspected to be carried out by the same criminal organisation, was not as serious as the HSE hack.

Organised criminals

He also said early work done by departments and agencies did not yet indicate the presence of similar ransomware on their systems. Garda sources believe the attacks were by organised criminals, rather than a foreign state.

The HSE is grappling with the impact of the attack, with chief clinical officer Dr Colm Henry saying it was facing significant disruption that could continue “well into the coming week”. The HSE has found it has some clean back-up data and is slowly restoring its services, but it promises to be a slow process.

The effect is likely to be greater in hospitals run directly by the HSE rather than in the large voluntary hospitals, although radiology and diagnostic services are expected to hit across the board.

Urgent radiation oncology treatment is being transferred to private facilities.

HSE operations chief Anne O’Connor said on Sunday that core radiology and patient management systems are down. “All of our diagnostic capability in terms of radiology has gone,” she said.

Minister of State for Communications Ossian Smyth says  a second attack, on the Department of Health, is not thought to be as serious as the HSE hack. File photograph: Gareth Chaney/Collins
Minister of State for Communications Ossian Smyth says a second attack, on the Department of Health, is not thought to be as serious as the HSE hack. File photograph: Gareth Chaney/Collins

There have been widespread cancellations of radiotherapy for cancer patients, with urgent treatments to be done in the private sector. Vaccination and testing and tracing for Covid-19 are running.

Ransom note

A ransom note purporting to come from the criminal gang was published in the US media at the weekend and threatens the release of detailed patient information unless a ransom of $20 million is paid.

US site Bleeping Computer says the note was obtained from a cybersecurity researcher. It claims the attackers have been inside the HSE system for two weeks and encrypted a significant amount of data, including patient and banking details.

A series of attacks of this manner began about 18 months ago linked to a Russian gang known as Wizard Spider, which has also outsourced attacks to other criminal gangs in exchange for a share of the ransoms that are paid. Most of the activity has originated in Russia or eastern Europe and those origins are suspected for the Irish attack.

*This article was amended on May 17th 2021

Jack Horgan-Jones

Jack Horgan-Jones

Jack Horgan-Jones is a Political Correspondent with The Irish Times

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times

Martin Wall

Martin Wall

Martin Wall is the Public Policy Correspondent of The Irish Times.