HSE Statement

The HSE became aware yesterday evening (Thursday, 8 June) that an external partner (EY) working with us on a project to automate part of our recruitment process was alerted to a cyber-attack on the technology product MoveIT which they were using to support this work.  This attack was criminal in nature and international in scale.

HSE teams together with EY have worked closely over the last number of hours to determine the impact on HSE data.

This analysis has determined that is it likely that information relating to no more than 20 individuals involved in recruitment processes was accessed. The data on these recruitment panels is comprised of names, addresses, mobile number, place on the panel and more general information on the posts being recruited. Importantly no other personal identification data or financial data is included.

The HSE is in contact with relevant authorities and is informing the Data Protection Commission.  Contact will be made shortly with those individuals whose data was accessed.

Commenting on the information available to date HSE CEO Bernard Gloster said: “I have reviewed this incident with senior officials this morning.  Any breach is regrettable but unfortunately a feature of international criminal activity in recent years.  A number of significant facts are important here including no patient data was involved, the attack was not in the HSE ICT environment, there is no evidence as of yet of this data appearing on the dark web which is being monitored by EY and the exposure for the HSE appears to be quite small.  We are actively keeping the matter under review.”