‘No evidence’ data stolen in cyberattack used for criminal purposes, HSE says
The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.There is “no evidence” that data stolen in a cyberattack on the HSE this year was published online or used for criminal purposes, the health board said.
The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service, leading to mass cancellations of appointments and surgeries.
The HSE has been given a copy of the stolen data from gardai, which they received from the Department of Justice in the United States.
A spokesperson said: “The HSE has been monitoring the internet including the dark web since the cyberattack and has seen no evidence at this point that this stolen data has been published online or used for any criminal purposes.
We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted
“The HSE carried out an initial technical examination of the material over the weekend and has confirmed that it is data removed from HSE systems.”
The HSE said it has updated the office of the Data Protection Commission (DPC) on the development, and will continue to engage with them under its GDPR obligations.
“The HSE is reviewing this material to identify any individuals whose personal data was stolen and will notify the relevant data controller as required and affected individuals as required following engagement with the DPC,” the spokesperson said.
“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received on December 17 2021 and don’t yet know the numbers of individuals impacted.
“We expect that this material will include a mix of personal data, medical information, HSE corporate information, commercial data and general non-personal administrative data.
“Personal data means information about individuals, such as names, addresses, contact phone numbers and email addresses.
Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC
“Medical information would include medical records, notes and treatment histories.
“Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC. You do not need to do anything or contact the HSE.”
Work on investigating the cyberattack continues with the HSE, technical experts and An Garda Siochana.
The HSE said while it has seen “no evidence of inappropriate use of stolen or copied data”, it will continue to monitor the dark web and social media outlets.
Since May 20 2021, the HSE has had a High Court order in place to stop all stolen data including personal and medical information that may have been stolen in the cyberattack from being published online.
“The HSE will enforce this order and take appropriate action where necessary to protect this information,” the spokesperson said.