Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
LAST UPDATE | 15 May 2021
HSE CHIEF PAUL Reid has said that “safe and steady progress” has been made overnight in dealing with the fallout of a “sophisticated” ransomware attack that the Government called “possibly the most significant cyber attack on the Irish State”.
The HSE was made aware of the attack in the early hours of Friday, and shut down all national and local IT systems yesterday in order to protect them from encryption by attackers.
Because computers are shut down as a precautionary measure, some health services have been affected: the extent of the disruption varies from each hospital and service.
The Covid-19 vaccination programme has not been affected by the attack, and people should attend those appointments as normal. The HSE is still planning to administer between 260,000 and 280,000 Covid-19 vaccine doses next week.
Reid has encouraged the public to continue to register for a vaccine appointment through the online portal, saying that the system is safe to use. People aged between 50 and 69 are eligible to register, with information on those between 40 and 49 expected to be released next week.
Covid test results and contact-tracing services have been successfully restored after being disrupted yesterday.
Anyone who has symptoms of Covid-19 is asked to self-isolate and contact your GP, who may advise you to attend one of the walk-in Covid-19 test centres.
However, the Department of Health has said that “due to the current disruption of the HSE IT systems” daily Covid-19 figures are not available. Backdated figures will be published “when possible”, a spokesperson said.
Not paying a ransom
The HSE yesterday confirmed that a ransom has been sought but said it will not be paid, in line with State policy.
When asked today about whether the HSE would pay out a ransom to ensure patient data was not released by the attackers, Reid did not confirm but said that the HSE was working with cybersecurity experts to ensure patient data is not released.
However, Reid also said that due to how patient data is stored across multiple systems, there was currently no indication of how much patient data has been accessed by the attackers.
“We’re now assessing across each system, what level of data was encrypted [by attackers], what level of data may have been compromised,” Reid told Saturday with Katie Hannon.
“So that’s still a process that we’re going through before we move to the recovery phase.”
The systems were hit by a Conti ransomware attack, where attackers enter into a computer system and study how it works, before compromising anything they can and announcing their attack to the victim.
Reid said it was “quite a sophisticated” attack, a “major incident” for the health service, and is a “human-operated” cyber attack.
According to Reid, teams have made progress in identifying the nature of the attack and some of the potential impacts that the ransomware attack has caused.
The HSE’s backup systems are currently safe, with Reid saying that teams are assessing whether or not there has been any impact on the data stored within the backup systems.
Minister of State for Public Procurement and eGovernment Ossian Smyth told RTÉ News yesterday that the attack was not espionage, and that it was an international attack.
“This is a very significant attack, possibly the most significant cyber attack on the Irish State,” Smyth said.
He added that the motive is to encrypt private data, and threaten to publish the data if a ransom is not paid.
Update on appointments
Appointments were cancelled by a number of hospitals yesterday and thousands more could be cancelled next week.
In a statement released this afternoon, the Saolta Group of Hospitals said the cyber attack “continues to have a considerable impact on hospital services”.
The Saolta Group covers the following hospitals:
Maternity services and dialysis treatment will go ahead. Patients should also attend their chemotherapy appointments unless contacted and advised otherwise.
The following cancellations have been confirmed:
The statement noted: “Patients can expect significant delays in the Emergency Departments and Roscommon Injury Unit as existing IT systems are not in use and the manual workarounds in place are time-consuming.
“We ask patients to contact their GP or GP Out Of Hours Service in the first instance if their health problem is not urgent.
“Where possible patients should bring their existing patient number or board number with them when they come to the hospital. This number appears on appointment letters, test results, blood test results.
“We would like to thank our patients for their understanding at this difficult time.”
The UL Hospitals Group has also issued an update today, saying that a majority of outpatient appointments and elective procedures will go ahead as scheduled on Monday 17 May.
The UL Group covers:
The group is advising that patients attend for their appointments and procedures unless contacted directly by the hospital and advised otherwise.
“We apologise to patients who are experiencing delays and disruptions to our service,” said the group in a statement.
The emergency department at UHL will continue to operate but currently is very busy. They are currently urging all members of the public to consider all care options and only attend the ED in an emergency.
Non urgent patients may face significant delays, according to the UL Hospitals Group. Injury units are still in operation in Ennis, Nenagh and St John’s.
The Maternity Emergency Unit remains available 24/7 and the Early Pregnancy Assessment Unit remains appointment only.
The UL Hospitals Group also said that there may be further disruption next week.
The Dublin Midlands Hospital Group has released this update about cancelled appointments.
See statement below from @DMHospitalGroup regarding the current situation in our hospitals following the ransomware attack on the @HSELive IT systems. Updates will be posted as they become available. We thank our patients & the public for their understanding at this time. pic.twitter.com/02KZyDrSN6
— Dublin Midlands Hospital Group (@DMHospitalGroup) May 14, 2021
Patients have been advised to check the websites and Twitter accounts of the HSE and the hospital group in their area for the latest updates.
National Cyber Security Centre
Communications Minister Eamon Ryan and junior minister Ossian Smyth were both briefed by the National Cyber Security Centre (NCSC) this morning, with the agency saying that their full resources are being put to supporting the HSE in its response to the attack.
A spokesperson for the Department of the Environment, Climate and Communications today said that the NCSC’s full resources “have been committed to supporting the HSE in its response to the cyber attack, and the NCSC is liaising with international partners and third-party contractors”.
“This work will continue throughout the weekend with the focus on supporting the HSE’s recovery process in order to minimise disruption to services.”
Speaking yesterday evening, Taoiseach Micheál Martin said it would take “some days” to assess the impact of the cyber attack.
He was also clear that no ransom would be paid, and said that it would be dealt with in a “methodical way”.
Security sources have said that the most likely suspects for the attack are criminals who are ‘state actors’.
“This is an almost daily occurrence, and the HSE were targeted this time. In terms of cyber security the most difficult thing is that these hackers are state backed and are most likely from North Korea, Russia or China,” a cyber security source said.
With reporting by Gráinne Ní Aodha and Tadgh McNally
To embed this post, copy the code below on your site
Welcome to the new type of terrorism folks. These groups and state sponsored hackers are now the new type of terrorist, except they don’t need to travel anywhere or blow themselves up to cause absolute carnage and mayhem. We saw in the states the panic a pipeline being shut down caused. Once hackers find a vulnerable spot in a country or Company systems, they will keep trying to exploit them especially if the systems in question are older or legacy types which means easier to breach. Let’s hope the countries cyber defences get a massive upgrade now, cos we don’t need something even bigger being hit next time like a utility company that could take down power or communications
@Michael Healy: any proof that it’s state-sponsored? Some people are mentioning Russia but I am not convinced. I am certainly no fan of Uncle Vlad by any means but fail to see why the HSE would specifically be targeted? To me it’s caused by greed from non-state criminal organisations rather than in the name of any warped ideology.
@Alex Marquis: why and how would he have proof? That is not a general statement he is making, it’s the truth. More and more cyber attacks are happening around the world and I wouldn’t be surprised if this was paid for by a government or an individual of some kind because we wouldn’t comply with what they want. Its a well know fact that this is now how modern wars are fought.
@Alex Marquis: It may not be state sponsored, I personally don’t believe it is. But Conti Ransomware was a successor form of Ryuk, which was believed to have been used by Russian criminal gangs. Also Conti attacks have mainly occurred in America and Western Europe (I’m not aware of any reported attacks on Russian organisations, another reason to believe its probably Russian as Russian gangs have been known to write code into the malware so that it doesn’t attack IPs associated with Russia).
To your point though about State hacking, North Korea have carried it out in order to fund their state e.g. the Lazarus group with WannaCry malware.
@Nigel: Another point that I have not seen mentioned anywhere yet and why generally these attacks are either carried out by Russia, China or North Korea is because even if, and its a very big IF, the people behind the attacks are caught, none of those countries extradite their citizens so the risk / reward ratio to carry out these attacks is a no brainer for them.
Maybe if the f00ls in the Dept of defence saw a bit beyond the ends of their noses they would have followed the advise of the military and not allow the Cyber Security Unit to be decimated and defunded. The government have been warned about this kind of attack by specialists for years but have chosen to do the ostridge manoeuvre and pretend they have it under control. These state sponsored attacks will cost lives. The government need to cease the defunding of the Defence Forces and realise that a well funded cyber security unit will be invaluable.
@JG: the department of defence are the military.?
@John B: no, they’re not. Dept are all civilian civil serpants, while the military are, military
@JG: why would the Dept of Defence have anything to do with the Health Services Security? This isn’t America, the HSE has very sophisticated security compared to other departments of the state. It is the new terrorism, as outlined in the first post.
@Mary Conneely: sophisticated security, that’s absolute rubbish. The vast majority of their terminals are using windows 7 and there are still a lot of windows XP terminals
@JG: maybe you being the expert, should go and show them all how it’s done!
@Mary Conneely: Mary they don’t. For years different departments were not connected to each other. Nobody knew what each other were doing.
@Mary Conneely: I think you’re on the wrong planet
@JustHereForTheComments: great response. What circus do you usually perform for?
@Hugh Morris: What is your source for this? Or does this fact of the type that ‘Everybody knows……….’?
@Kate Mchugh: If the different departments were not connected, how did the ransomeware spread?
@JG: No JG don’t be like that! We need you!
@JG: what have the department of defence to do with this ? The NCSC is under Department of the Environment, Climate and Communications. Facts matter.
@Mary Conneely: some poor fella is probably running a free Avast antivirus through a batch of floppy discs over the weekend now, that’s how sophisticated they are lol
@Paul Duffy: you are correct but the whole reaction system and defence is operated under the Defence Forces and the Office for emergency planning with Computer Security Incident Response team which is chaired by the Minister for Defence. The main point being is that if the main operators or one of the arms of the system is debilitated then the whole system will fail. The Defence Forces element which has responsibility for cyber defence is from the Communications and Information Services Corps.
Dear Hackers
In awe of your recent work.
I bank with (info withheld)
Pretty please can you hack my mortgage account and delete everything.
I have €50 with your name on it.
Lads out there desperately trying to uninstall uTorrent from their HSE laptops.
@⚡ Seánie ⚡: ooooh, that’s a low blow lol
@⚡ Seánie ⚡: surely you meant limewire?
@⚡ Seánie ⚡: probably still using Napster
But seriously, all our details are on the system, PPSN, DOB,Name,Address..it’s worrying and a cause of concern
@Laura Halpenny: it’s ok Carphone Warehouse are gone.
Nobody will be able to sign us up to bills in our name.
@Madra: it’s bigger than that…they may have all the details to effectively gain control of bank accounts…especially if you’ve ever paid by card eg A & E visits
@Laura Halpenny: payments are taken by a third party so no cause for concern with your gold card just yet
@Laura Halpenny: your card details are not held on the hse database, a third party is used for payments, stop spreading mis information
@Laura Halpenny: no t
@Laura Halpenny: talk about scaremongering, no they don’t, ransomware attacks are where the victims files are encrypted on their own machine and the hacker has the decryption key, they don’t hold the files
@Pat ALTHEA: love the sarcasm..very becoming dearest
@SmallbutMighty: I’m not attempting to spread misinformation, thanks for providing the info in an exaggerated way though.
@pkunzip doom2.zip: god almighty, I’m not trying to scaremonger, it was a genuine worry for me…you get attacked more on this forum for having an opinion than the HSE cyber attack
@Laura Halpenny: oh, just wondering how everyone logs into their revenue online?
@Madra: a few years ago a Nigerian lad dipped into my apartment communal letterbox stole a credit card statement of mine and fraudulently took out mobile contracts with every provider at the time. It wasn’t till the fraud department in O2 tracked me down that I was made aware then the Gardai questioned me and eventually they tracked the lad down to his place of work the day after he was gone vanished into thin air. Thankfully I wasn’t liable for the debt he accrued in my name. He had made a provisional drivers license with his photo and my info O2 copped it as my surname is definitely not Nigerian ( her words ).
@Laura Halpenny: when posting on social media its important be mindful of your language. If you have a genuine concern and were simply asking a question then phrazing it as so is important. Things like using a ? Usually helps. Then you will usually get a reasonable answer. Your post was phrazed as a statement and by referring to card details specifically you then fall into the relam of spreading misinformation and scaremongering because you are posting something like its a fact when actually it’s something that you don’t know anything about at all (through your own addmittion) as Internet users we all have an individual responsibility you use it correctly. When you post incorrect information on the Internet it spreads at an exponential rate. Just some tips on netiqutte, its ok to have genuine concerns and ask questions but unless you phrase it as so, except a backlash.
@SmallbutMighty: *expect
@Laura Halpenny: don’t be posting false information.
@Laura Halpenny: the idea of a ransomeware attack is to prevent the information being available. It’s a lot quicker to encrypt the data to make it unreadable than to transfer the data.
@pkunzip doom2.zip: I read the article as saying that they have encrypted private data and are threatening to release it if ransom not paid They publish it.
People have sensitive personal health or mental health info that they wouldnt want publushed for all tosee.
@Laura Halpenny: The card details would be encrypted. If you paid by card at the hospital and immediately asked the person behind the desk to read back your card number, they couldn’t. All that would be visible to them is the last 4 digits of your card number. Similar with transactions in shops. It’s a very secure system. Actually about to get even better. The phone notification system being brought in by AIB this month will make it even more secure. BoI have it in place already.
@Laura Halpenny: With 2 factor authentication
@Laura Halpenny: Good point. I might get a new card printed so!
Could this be an Israeli attack on us in response to Ireland and Leo’s condemnation of the mayhem that is happening there this week of the Palestinian people ?…. Just the timing, I’m thinking of…. “the day after”…
@C_O’S: hardly, like any other terrorist attack, its not something they cook up overnight, a lot of planning would have gone into this.
@Uncle Montys oaf: not necessarily, I think you’re overestimating the HSE’s security
@Hugh Morris: attacks like these usually take place over weeks or months. First infection could have happened at any time and quietly worked it’s way around the network before it was noticed. Timing not necessarily relevant.
@C_O’S: without knowing the specifics it’s far more likely it’s a phishing attack. Don’t attribute to malice what can easily be explained by incompetence. Ransome attacks are usually opportunistic, its mail several million people per day and someone opens the link or attachments with the payload.
@C_O’S: it was the day after a lot of things happened.
Israel would have nothing to gain — it would only intimidate if they were implicated. You can’t silence someone with threats if they’re anonymous.
And if they WERE implicated the blowback would be far worse for them.
Occam’s razor. The explanation with the fewest assumptions is likely the correct one. Which is that it’s the usual Russia/China/North Korea based ones
@Martin Smith: he was suggesting that they spent a lot of time manually planning the attack. It was more than likely automated and could have been done by a script kiddie with a single click. I think people underestimate how lax our security is in this country
@Martin Smith: it could also have happened in a faction of a second
In my opinion, the more that cybercriminals underestimate state security systems, the better. Claiming that security is lax is one thing, if you don’t mind the fact that criminals are always listening in. On a small system, that reads like an open invitation. On the other hand, any larger system is likely to be designed rather like the Pyramids; burglars may get in, but it’s not a guarantee that they’ll get out scot free again. By which I mean that any hacking will be under audit surveillance and the long-term plan would be to trace them and build evidence against them.
@Fiona Fitzgerald: you clearly don’t know much about security, it’s incredibly easy for them to hide their tracks
Whatever happens, do not feed the bully. Never pay.
@Teresa O’Halloran: depends on how sophisticated the attack is. They may have to pay.
@Teresa O’Halloran: if they’ve no backup there might be no option if the information was valuable like a critical database.
@Ger Buckley: it depend on how good their disaster recovery plan is
@Teresa O’Halloran: easier said then done I’m afraid, sometimes companies or countries have to pay a ransom even if there’s a policy of not negotiating with terrorists
@Teresa O’Halloran: that kind of talk sounds amazing but most companies do pay. Colonial gas paid $7million this week.
There is a really good documentary called ‘zero days’, can be streamed at various sites on the subject of State-backed cyber attacks, (not saying this one was). A really good watch!
Watch this space for the next government spending scandal.
Once it’s sorted there’ll be an understandable move to modernise their systems. It’ll be put out to tender and when’s it’s done will end up costing hundred of millons more than it was meant to.
That’s what happens when you send all our staff home to work, not all of them have good WiFi? So I think some of them us hotspots. Very easy to get a bug on our computer,
@Heisen berg1: not sure about all hse staff but I know certain departments are allowed to use open networks on their machines they have to use their own WiFi dongle
@SmallbutMighty: *not allowed
@SmallbutMighty: I’m a chef in a big collage, I even had to do courses on data protection, very good, best thing is turn off WiFi on your phone!
“Alright lads we are going to power up each computer and hope the bold people are gone.”
@Will Roche: Sounds like something Oliver Callan’s version of Paschal Donohue would say!!
Unplug it and restart, always works for me
Although we’re behind on IT in HSE, we’ve got the best IT guys in the world in Ireland
Ctrl Alt Delete
They need to make this a capital offence and send in a dozen reapers.
Tossers these cyber criminals..had a friend of mines PC encrypted with ransom ware.. The bugger deleted all shadow copies as well as all system restore points.. very important to have a back up or even 2… Outlook should have an option to open everything in a sandbox initially to contain any malicious code that may be trying to do what malicious do…Impossible to trace the criminal as most use the Tor browser for payment.. Cowards the lot of them .
Let’s all get out with our hard drives and floppy’s and take back what is ours! We won’t let tiny cyber bullies take our data.
The Journal closing comments on the atrocities in the middle east in an attempt play down what’s going on there – its beyond belief what is happening here and this isn’t something that happened over night. This has been planned for years and the snow flakes in the West stand by and by doing so are guilty in my eyes, as doing nothing is a decision.
I think this should bring a significant focus on the regulation of crypto currencies. I don’t really understand the crypto world that much but surely this is one of the big concerns that authorities have globally around the whole space.
@MB: I suggest educating yourself about the crypto world and more importantly, the blockchain. Just because you don’t understand it, doesn’t mean governments/banks should regulate/control it. That’s the reason we’re in this mess in the first place, governments should never be given control of a country/nations finances. It doesn’t work for the masses and has never worked for the masses and, always collapses in the end as it’s based solely on debt. And oddly enough, what you’ve seen around the world recently, whether it be Myanmar, the streets of the UnUnited States, or god knows where else, is quite simply, the masses saying enough is enough, it ends now, and with Bitcoin and blockchain technology we now have the financial freedom to make this happen.
How are they going to sort it out by not paying?
@james spice: backups. When you have a backup, you should be able to restore the data. It just takes time.
@Claude Saulnier: if they noticed in time It may not have been critical files but servers may have had to have been shutdown to prevent important files being encrypted
@Claude Saulnier: Ok, fair enough. That makes sense. Didn’t know that was an option. I’ve heard it’s utter chaos in the hospitals is all. Not sure they actually have the time.
@james spice: they’re not !
@Claude Saulnier: unless they got access to the backups…
Its not a bit surprising they were done, just look at the Covid response and the ignoring of Ivermectin which could have ended it in January.
The last time I was in a hospital I saw a windows 7 system which they must be paying Microsoft a fortune for to maintain with emergency updates instead of replacing it.
The system should have been easily isolated with multiple layers of backup and redundancy, and offsite isolated virus scanned backups of data in place to minimise the effect of such an event happening. Imbec1les.
@gary mcnamara: Away with your Ivermectin! Even Merck, the company who make it, do it has no effect on Covid. It is an anti-parasitic and a bloody good one. But as regards its anti-viral properties, you may as well suck blue smarties.
@gary mcnamara: knob head
@gary mcnamara: Have you shares in Merck. Seriously it is all you ever go on about.
@Seanboy: knob head yes, but absolutely correct re Windows 7, use it regularly in HSE hospital!
@gary mcnamara: ivermectin will kill hoose and fluke and a lot of other bugs, Gary but it has no effect on viruses. Now, Covexin-10, on the other hand. That could sort it all out. Bit of Levafas Diamond for the stragglers and some calf scour bolus for the scutters.
Have to 3yrs now for appointment instead of 2yrs more trolleys in regional hospital instead of 70 patients on them now
Is all patient ino encrypted? AES 256? The hackers could have some info and will sell it on the dark Web allowing others to build up a cleearer picture on certain individuals (Cross reference with another data dump). We need to have a quick detailed layout of why this occurred
If this was an actual human intrusion to test the system for vulnerabilities to exploit before infecting the system with ransomware, rather than a script kiddie dropping a virus load on the system to make a ransom demand, then this hack could have taken place over a long enough period that any backups, are also seeded with the ransomware and numerous instances of remote login access, let’s be honest they could have spoofed themselves credentials, to have physically installed hardware access too.
@David Van-Standen: chances are this did take place over a length of time. What they normally do is scour the network, study the hierarchy of a company and find sensitive emails and documents, and when they have what they want, then they reveal themselves and ask for the ransoms. Before they would break into a network and just encrypt everything, but security has improved to detect this and stop it. Unfortunately criminals have improved their tactics too.
How much was the ransome?
I wonder could hacking make the system any worse. Maybe the could fix P-Pars while they’re in?
have your say