HSE to begin contacting over 110,00 people affected by cyber attack

HSE to begin contacting over 110,00 people affected by cyber attack

THE HEALTH Service Executive (HSE) will begin contacting those whose information was illegally accessed and copied during the May 2021 cyber-attack on IT systems this month.

Approximately 113,000 people will be notified, with the programme expected to take several months as patients and staff will be notified by letter.

Those affected will then have an opportunity to get advice and further support from the HSE.

Of the people being notified, 86% of notification relate to patient data with 14% relating to staff data.

The files which were accessed and copied are wide-ranging and include a mixture of personal information, medical information and internal health service files. They include documents such as HR forms submitted by staff in relation to leave and a limited amount of financial information mainly relating to staff expenses.

Personal information includes information on spreadsheets such as names, addresses, contact phone numbers, email addresses. Medical information can include some medical records and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.

Due to the numbers of people involved, and the need to support each notification, the process wis expected to be completed in April 2023 at the latest.

Joe Ryan, the HSE National Director who is leading the programme, said the HSE regrets the copying of data as a result of the cyber-attack.

"Thanks to our extensive monitoring and support from security services, we have seen no evidence that personal data relating to the HSE cyber-attack has been shared or used fraudulently.

"This notification process is an important duty for the HSE, as we held people’s personal data, and through this cyber-attack on HSE systems, that information was compromised. In the letters to those affected the HSE will be apologising to the people being notified.

"We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide. We have taken a thorough approach in responding, from the initial response, to the lengthy period of data review, and now the notification process. We are sorry that this happened, and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests."

The cyber-attack in May 2021 crippled the health system in Ireland, with computer systems and data being held for ransom for their return.

Over 80% of HSE IT infrastructure and health service sites all over the country were affected by the cyber-attack.

The HSE has been monitoring the internet including the web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online.

The cyber-attack continues to be an ongoing criminal investigation which limits the amount of detailed information we can share in the public domain in relation to the data which was illegally accessed and copied.



An independent report into the incident published in December 2021 found that there was a lack of preparedness within the HSE to defend against or respond to a cyber attack.

It stated the HSE "did not have a single responsible owner for cybersecurity, at senior executive or management level at the time of the incident" and that it was a known issue that teams that had elements of cybersecurity in their remit were under-resourced.

It also delved into the timeline of the cyber-attack, and found that on 18 March the source of the attack originated from a malware infection on a HSE workstation.

The infection was the result of the user of the workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user two days previously.

After gaining unauthorised access from 18 March, the attacker continued to operate in the environment over an eight week period before the 'detonation' of the attack on 14 May.