Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Shutterstock

HSE to begin notifying people whose information was illegally accessed during 2021 cyber-attack

Around 113,000 patients and staff had some of their information illegally accessed and copied.

THE HSE WILL this month begin a data notification programme relating to the criminal cyber-attack on the health service in May 2021. 

This programme will take several months, the HSE said, and around 113,000 patients and staff who had some of their personal information illegally accessed and copied during the cyber-attack will be notified by letter. 

They will then have an opportunity to get advice and further support from the HSE. 

The HSE said that due to the numbers of people involved, and the need to support each notification, this will begin later this month and continue in phases over the coming weeks and months. 

Of the people being notified, 86% relate to patient data and 14% to staff data. 

The HSE anticipates it will have contacted everyone by April 2023 or sooner. 

“We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide,” Joe Ryan, HSE national director leading the programme, said.

“We have taken a thorough approach in responding, from the initial response, to the lengthy period of data review, and now the notification process,” Ryan said.

“We are sorry that this happened, and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests.”

Cyber-attack

The HSE was targeted by a criminal cyber-attack in May 2021.

The aim of this attack was to disrupt the health service and computer systems, illegally access and copy data, and demand a ransom for its return.

The cyber-attack was stopped once the HSE became aware of it. No ransom was paid by the HSE or the State.

The HSE said it has been monitoring the internet including the web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online. This excludes a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web.

The HSE obtained a High Court order on 20 May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.

Information accessed

The HSE said the cyber-attack continues to be an ongoing criminal investigation which limits the amount of detailed information it can share in the public domain in relation to the data that was accessed and copied. 

However, it has said files that were illegally accessed and copied are wide-ranging and include a mixture of personal information, medical information and internal health service files. They include documents such as HR forms submitted by staff in relation to leave and a limited amount of financial information mainly relating to staff expenses. 

For the most part, people will be notified that a limited amount of information relating to them was illegally accessed and copied.

Personal information includes information on spreadsheets such as names, addresses, contact phone numbers, email addresses. Medical information can include some medical records and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.

Due to the systems that were shared with the HSE at the time of the attack, Tusla and Children’s Health Ireland were also impacted and will be notifying people in the next phases. 

Tusla will begin its own notification process to people affected in the coming weeks. 

The HSE said it will continue to liaise with the Data Protection Commission and to work closely with its technical experts, An Garda Síochána and the National Cyber Security Centre.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
12 Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel

     
    JournalTv
    News in 60 seconds