Ie: HSE patients startled to get alerts about personal info stolen by hackers

Reminder: If you are first sending out data breach notification letters two years after the breach, you might want a public announcement or media campaign to alert the public that letters are going out. Daire Fitton reports: People across Cork have raised concerns with the HSE after suddenly receiving letters about their leaked personal information almost two years on from the 2021 cyber attack that paralysed the health service. The letters came out of the blue with no campaign launched by the HSE to keep the public in the loop about what’s going on with their compromised personal information. All post is being sent out in batches between now and the end of April. More than 113,000 people had their information stolen, including their names, addresses, PPS numbers, emails and phone numbers. HSE employees were the worst affected with hackers getting hold of the banking details of about 1,000 current and former staff. Read more at CorkBeo.

Cost of HSE cyberattack by Conti rises to €80m, letter shows

Jennifer Bray reports: The cost of the cyberattack on the Health Service Executive has risen to €80 million, according to new information. In a letter to Aontú leader Peadar Tóibín last Friday, HSE chief information officer Fran Thompson said that the costs came to more than €42 million in 2021 and to nearly €39 million until October of this year. Read more at The Irish Times.

HSE cyberattack: More than 100,000 people whose personal data stolen to be contacted

Jack Horgan-Jones reports: More than 100,000 people who had their personal data stolen during the HSE cyberattack last year will begin being contacted by the service in the coming weeks, The Irish Times has learned. The health service is expected to start contacting people this month, opening the way to further controversy surrounding the attack, and the risk of litigation arising from it. Read more at The Irish Times. That is a long gap between breach and notification. Was all the public news coverage about the breach last year enough to alert people that their data had possibly been accessed, acquired, and leaked? Did any fraud or other harms occur between then and now that might have been avoided with earlier individualized notification?  The HSE told Irish Times that it has “been monitoring the internet, including the dark web since the cyberattack, and has seen no evidence at this point that the illegally accessed and copied data has been published online or used for any criminal purposes” But what about the harms that may have occurred due to delayed or canceled care appointments or lack of access to records? The Conti attack was one of the worst ever in terms of impact on the medical sector. The HSE reportedly had poor defenses in place before the attack that began in May 2021 and equally poor plans for responses or mitigation. Would any litigation now or regulator penalties merely take away more funds or resources from hardening their security and leave them more vulnerable to more attacks?  How will this all work out down the road?

HSE hack victims who had personal information stolen have not been told they were targets

Ferghal Blaney reports: Hacking victims who had their personal information stolen during the HSE ransomware attack last year have not been told they were targeted. It’s a legal requirement for the health authority’s IT management to inform them under GDPR rules. The HSE said in a statement that it was taking time to get through all of the affected data. Read more at Dublin Live.

Ie: Mother seeking compensation from HSE over data breach involving report into treatment of toddler at hospital reports: A report compiled by the HSE in response to a complaint about the treatment given to a 19-month-old patient found its way into the wrong hands, Wexford Circuit Court was told. The result was a case taken on behalf of the now three-year-old girl from County Wexford seeking compensation for the breach of data protection protocols. Read more at It sounds like the report on the complaint filed about the child’s care wound up being sent to the wrong individual, who notified the mother via Facebook that she had received the report. The HSE apologized and offered €3,000 compensation, but so far the mother has not accepted that offer, it seems. Can you imagine if every mismailing resulted in €3,000 compensation?

HHS: Lessons learned from the HSE cyberattack

HHS Cybersecurity Program has released a new threat brief on lessons learned from the HSE cyberattack. covered the incident and aftermath in a number of articles because of the significance of the breach impacting patient care — including for cancer patients — and the unusual twist the case took when the Conti threat actors turned around and gave HSE the decryption key but still demanded ransom to delete and presumably destroy data the threat actors had exfiltrated. The HSE’s own report on the incident — a whopping 157 pages —  can be found here. Download HHS’s threat brief.      

HSE given stolen data, including medical records, taken by criminals during cyber attack in May

Eilish O’Regan reports: The HSE has been given stolen data, including medical records, obtained by criminals during the May cyber attack, it emerged today. The material was given to the HSE by the Garda National Cyber Crime Bureau who received it from the Department of Justice in the United States under a Mutual Legal Assistance Treaty (MLAT) which was processed by the US courts. It follows the ransomware attack on the HSE in May by Russian criminals. Read more at The

Ie: Hackers accessed HSE system eight weeks before cyber attack

Dyane Connor reports: The cyber attackers who hacked the Health Service Executive’s IT system, had accessed the system eight weeks before it detonated the malicious software, which caused devastating disruption across healthcare services. A report by PricewaterhouseCoopers (PwC) has found there were several “missed opportunities” after a phishing email was opened allowing the attacker access to the system. Read more at RTÉ.

Cancer patient to sue Cork’s Mercy Hospital over HSE ransomware incident

Sean O’Riordan and Shauna Bowers report: One of the first legal cases over the release of sensitive medical information on the dark web as part of the HSE cyber hack has been lodged at Cork Circuit Court. The case was lodged on Monday against Mercy University Hospital (MUH) by a Cork solicitor acting on behalf of a middle-aged family man who received treatment there for cancer. Read more on The Irish Examiner.

Ie: Delayed cancer diagnoses fears over HSE cyberattack backlog

Niamh Griffin reports: Two months on from the cyberattack on the HSE and the consequences for patients are only starting to emerge, health professionals have warned. Vice-president of the Irish Hospital Consultants Association, Professor Rob Landers, said the IHCA has specific concerns around delayed cancer diagnoses. “If there is a high suspicion that a patient has a cancer, that is always treated as urgent and it will go through,” he said. […] “The cyberattack completely crippled the laboratory and radiology systems,” he said. “We effectively could only do about 5% of normal activity for a good three to four weeks.” […] It is now believed about 10,000 patients missed out on appointments following the May 14 IT attack, including thousands of virtual appointments, she said. Read more on Irish Examiner. This has always been the risk/concern about ransomware attacks on health systems — that care would be interrupted, and lives potentially lost. As a reminder, this attack was attributed to Conti threat actors, who are linked to Russia. You can probably read my thoughts about now.