HSE programme to contact people whose information was illegally accessed and copied during the May 2021 cyber-attack on HSE systems is beginning today. The HSE is writing to those who need to be notified under GDPR.
- HSE is beginning to notify approximately 113,000 people in a phased way from today and this will continue over the coming months.
- There is no evidence that any personal data has been shared online (other than a small amount of data at the outset of the cyber-attack which has been taken down from the web) or used for criminal purposes since the cyber-attack.
- The HSE obtained a High Court order on 20thMay 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.
- Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this.
- Individuals who do not get a letter do not need to contact the HSE or do anything.
The HSE has today, (Tuesday, 29th November 2022), started to notify patients and HSE staff by letter who had some of their personal information illegally accessed and copied during the cyber-attack on the HSE.
Due to the numbers of people involved, and the need to support each notification, this notification programme will continue in phases over the coming weeks and months. If you do not get a letter you do not need to contact the HSE or do anything. This is to help us to provide an efficient service to the people being notified in stages. It also means we can dedicate our support to people who have been notified.
Joe Ryan, HSE National Director leading the notification programme today said, “From today, and over the coming months, the HSE will be contacting approximately 113,000 people by letter to inform them that some of their personal data was illegally accessed and copied as part of this cyber-attack. As a result of our extensive monitoring and support from security services, we have seen no evidence that personal data relating to the HSE cyber-attack has been shared or used fraudulently.
“We are very sorry that this occurred and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests. This notification process is an important duty for the HSE, as we held people’s personal data, and through this cyber-attack on HSE systems, that information was compromised.”
In the letters to those affected the HSE will be apologising to the people being notified that this happened. People being notified will receive a letter telling them what part of their personal information was impacted. The letter will also outline how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied. This can be done via a portal on the HSE website at hse.ie/dataprotection or by post.
Joe Ryan continued, “The notification process will go on over the coming weeks and months, as we have to take great care in notifying people correctly and securely. The first group being notified includes approximately 850 HSE staff members. We are writing to them to notify them that data relating to their staff travel expense claims was illegally accessed and copied. This data contained some limited financial details.”
He added, “We expect the notification process will take a number of months to complete, as we take the time to contact each person, ensure we have a secure communication with them, and go through the process of assisting them if they want to make a request to view their documents.
“Of the people being notified, 84% of our notifications relate to patient data and 16% to staff data. This means that over the coming months we will be writing to approximately 94,800 patients and around 18,200 members of staff. We anticipate we will have contacted everybody by April 2023 or sooner.
“We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide. We have taken a thorough approach in responding, from the initial cyber-attack to the lengthy period of data review and verification, and now the notification process.”
Response to the cyber attack
The health service was targeted by a criminal cyber-attack in May 2021. The aim of this attack was to disrupt our health services and computer systems by encrypting them, illegally access and copy data, and demand a ransom.
The cyber-attack was stopped once we became aware of it, and the HSE has worked with a range of state agencies to respond to it. No ransom was paid by the HSE or the State.
Specialist security partners of the HSE have been monitoring the internet including the dark web since the cyber-attack and have seen no evidence at this point that the illegally accessed and copied data has been published online (other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web) or used for any criminal purposes.
The HSE obtained a High Court order on 20th May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.
Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this.
Ongoing criminal investigation
The information that was identified as exfiltrated from HSE systems contained data that held information relating to individuals across the country. The cyber-attack on the HSE continues to be an ongoing criminal investigation which limits the amount of detailed information we can share in the public domain in relation to the data which was illegally accessed and copied, or the details of sites affected. This is also to protect against the risk of sites being re-targeted or community based ‘phishing’ scams being mounted in those areas.
Other organisations affected
Due to systems that were shared with the HSE at the time of the cyber-attack, Tusla and Children’s Health Ireland were also impacted. Both Tusla and Children’s Health Ireland will be notifying people in the next phases of their respective processes.
Types of information impacted
The health service data that was illegally accessed and copied have been thoroughly examined and validated. They are wide-ranging and include a mixture of personal information, medical information and internal health service data. The internal health service data includes documents such as HR forms submitted by staff in relation to leave and data relating to staff travel expenses.
For the most part, people are being notified that a limited amount of information relating to them was illegally accessed and copied. Personal information includes information on lists such as names, addresses, contact phone numbers, email addresses. Medical information can include some medical notes and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.
We will continue to liaise with the Data Protection Commission and to work closely with our technical experts, An Garda Síochána and the National Cyber Security Centre.
Last updated on: 29 / 11 / 2022