Mercy Hospital secures court injunction against ransomware hackers

Mercy Hospital secures court injunction against ransomware hackers
The Mercy University Hospital has brought proceedings after ransom messages were found on its own private IT systems, including its radiology and emergency department's systems. File picture: Denis Scannell

TUE, 25 MAY, 2021 - 18:35
AODHAN O’FAOLAIN
A Cork-based hospital has secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data believed stolen from its computer systems in the cyberattack.

The orders were made in favour of the Mercy Hospital Cork against “persons unknown” responsible for accessing the hospital's IT system, that is separate from systems operated by the HSE, and planting a ransomware note on it as discovered by the hospital on May 14.

The orders, which are similar to those obtained by the HSE last week, also apply to any persons with knowledge of them.

Ransom messages

The hospital has brought its own proceedings after ransom messages were found on its own private IT systems, including its radiology and emergency department's systems.

Similar injunctive orders obtained by the HSE last week do not cover the hospital's own private data, the court heard.

The orders were granted by Ms Justice Siobhán Stack on Tuesday, who also placed an embargo on the reporting of the application to allow the hospital serve notice of the proceedings on the proposed defendants.

A ransomware note, demanding money, found on the hospital's own private computer system included a link which purports to be a way to contact the hackers.

The court heard it is proposed to serve the proceedings on the unknown hackers via the link.

Seeking the orders, Brian Foley, counsel for the hospital, said it had brought separate, but similar, proceedings from those launched by the HSE.

This is because any data taken from private systems within the hospital that are separate from the HSE, would not be covered by the orders obtained by the HSE in its action.

The hospital is a private voluntary hospital, that hosts public patients and has access to HSE data.


'Heinous criminal action'

Counsel said that as was the case with the HSE, the hospital discovered on May 14 that its own systems had also been subjected to a "heinous criminal action of accessing the hospital's private data."

There was "no possible defence to the proposed defendant's actions," counsel said.

The orders, he said, were needed mainly to prevent anything that is published on the dark web from being published on sites hosted by internet service providers.

Counsel said obtaining's orders against those behind the cyberattack was "not a futile exercise."

While it was not really realistic to find out who these persons are, a court order would ensure internet service providers would take down and remove any data stolen from the hospital's systems published on publicly accessible platforms or websites.

The orders prevent the intended defendants selling, processing, publishing, sharing or making available to any member of the public the stolen HSE data, which includes private medical data of HSE patients.

They also restrain possession, transfer or disclosure of the information obtained from the HSE’s system without the HSE’s consent and require the “persons unknown” to identify themselves by providing names, postal addresses and email addresses.

Claims for damages

The orders were sought in intended proceedings by the hospital which include claims for damages for breach of confidential information, fraud and deceit, conspiracy and conversion of the data which is believed to have been accessed by Russian-based hackers based in Russia.

In a sworn statement to the court, the hospital's ICT manager Peter O'Callaghan said like the HSE's IT system, it was now apparent that the hospital's own systems had been accessed and corrupted by the hackers.

A ransomware note, demanding money, found on the hospital's own private computer system included a link which purports to be a way to contact the hackers.
A ransomware note, demanding money, found on the hospital's own private computer system included a link which purports to be a way to contact the hackers.
This includes the hospital's own 'Intelligo' system, which deals with payroll and human resources. That system contains data such as staff bank account details.

He said a ransomware note found on their private computer systems, that are not linked to the HSE systems, warning the hospital that “YOU SHOUD BE AWARE! Just in case, if you ignore us. We’ve downloaded your data and are ready to publish.”

The note also said that the hospital files were currently encrypted by Conti ransom software and warned it not to use any recovery software, he added.

In response to the attack, he said the hospital has been able to recover some of its systems.

He said at this stage and based on the ransomware note, it was impossible to say that the cyberattack on the HSE had not accessed the hospital's purely private data.

Threatening note

While the HSE may be the hackers' main target, he said given the threatening note on their own systems, it was highly likely that data has been extracted and would be used in a criminal act by the hackers.

In her ruling, Ms Justice Stack said she was satisfied to make orders, sought on an ex-parte basis, by the hospital. The orders, the judge said, were "workable, have purpose and were not futile."

The case was adjourned to a date in July, with liberty to apply to bring the proceedings back before the court should the need arise.