HSE given stolen data, including medical records, taken by criminals during cyber attack in May - Independent.ie
HSE given stolen data, including medical records, taken by criminals during cyber attack in May
Photo: Kacper Pempel/Reuters
Photo: Kacper Pempel/Reuters
Eilish O'Regan
December 20 2021 04:16 PM
The HSE has been given stolen data, including medical records, obtained by criminals during the May cyber attack, it emerged today.
The material was given to the HSE by the Garda National Cyber Crime Bureau who received it from the Department of Justice in the United States under a Mutual Legal Assistance Treaty (MLAT) which was processed by the US courts.
It follows the ransomware attack on the HSE in May by Russian criminals.
The HSE said today: “We expect that this material will include a mix of personal data, medical information, HSE corporate information, commercial data and general non-personal administrative data.”
The HSE said it is reviewing this material to identify any individuals whose personal data was stolen and will notify the relevant data controller and affected individuals as required following engagement with the Data Protection Commissioner.
“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received on December 17, 2021 and don’t yet know the numbers of individuals impacted,” it said.
It said gardaí have given the HSE a copy of the data that was stolen as part of the cyber-attack against the HSE’s ICT infrastructure on May 14.
The HSE said it has been monitoring the internet, including the dark web, since the attack and has seen no evidence at this point that this stolen data has been published online or used for any criminal purposes.
“The HSE carried out an initial technical examination of the material over the weekend and has confirmed that it is data removed from HSE systems.
“The HSE has today updated the Data Protection Commission (DPC) regarding this development and we will continue to engage with the DPC in accordance with the HSE’s obligations under the General Data Protection Regulation and Data Protection Act 2018.”
Daily Digest Newsletter
Get ahead of the day with the morning headlines at 7.30am and Fionnán Sheahan's exclusive take on the day's news every afternoon, with our free daily newsletter.
Enter your Email Address
Sign Up
It added: “Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC. You do not need to do anything or contact the HSE.
“We will continue to work with our technical experts and An Garda Síochána and have seen no evidence of inappropriate use of stolen or copied data, we will continue to monitor the internet including the dark web and social media outlets via specialist monitoring services.
“Since 20 May 2021, the HSE has had a High Court order in place to stop all stolen data including personal and medical information that may have been stolen in the cyber-attack from being published online. The HSE will enforce this order and take appropriate action where necessary to protect this information. “
Photo: Kacper Pempel/Reuters
Photo: Kacper Pempel/Reuters
Eilish O'Regan
December 20 2021 04:16 PM
The HSE has been given stolen data, including medical records, obtained by criminals during the May cyber attack, it emerged today.
The material was given to the HSE by the Garda National Cyber Crime Bureau who received it from the Department of Justice in the United States under a Mutual Legal Assistance Treaty (MLAT) which was processed by the US courts.
It follows the ransomware attack on the HSE in May by Russian criminals.
The HSE said today: “We expect that this material will include a mix of personal data, medical information, HSE corporate information, commercial data and general non-personal administrative data.”
The HSE said it is reviewing this material to identify any individuals whose personal data was stolen and will notify the relevant data controller and affected individuals as required following engagement with the Data Protection Commissioner.
“This could take 12-16 weeks due to the volume of this data. We are at a very early stage of assessing the data received on December 17, 2021 and don’t yet know the numbers of individuals impacted,” it said.
It said gardaí have given the HSE a copy of the data that was stolen as part of the cyber-attack against the HSE’s ICT infrastructure on May 14.
The HSE said it has been monitoring the internet, including the dark web, since the attack and has seen no evidence at this point that this stolen data has been published online or used for any criminal purposes.
“The HSE carried out an initial technical examination of the material over the weekend and has confirmed that it is data removed from HSE systems.
“The HSE has today updated the Data Protection Commission (DPC) regarding this development and we will continue to engage with the DPC in accordance with the HSE’s obligations under the General Data Protection Regulation and Data Protection Act 2018.”
Daily Digest Newsletter
Get ahead of the day with the morning headlines at 7.30am and Fionnán Sheahan's exclusive take on the day's news every afternoon, with our free daily newsletter.
Enter your Email Address
Sign Up
It added: “Where we identify personal information belonging to any individual compromised in this dataset we will take appropriate action at that point following engagement with the DPC. You do not need to do anything or contact the HSE.
“We will continue to work with our technical experts and An Garda Síochána and have seen no evidence of inappropriate use of stolen or copied data, we will continue to monitor the internet including the dark web and social media outlets via specialist monitoring services.
“Since 20 May 2021, the HSE has had a High Court order in place to stop all stolen data including personal and medical information that may have been stolen in the cyber-attack from being published online. The HSE will enforce this order and take appropriate action where necessary to protect this information. “
