On 13 May 2021, Ireland’s public healthcare service, the Health Service Executive (“HSE”) suffered a major ransomware attack, described by the State broadcaster RTÉ as “the most serious ever attack on the State’s critical infrastructure”. Two days later, on 15 May, it was announced that the government’s Department of Health was the victim of a similar attack.
It has now been confirmed that the HSE and Department of Health IT systems were the subject of a Conti ransomware attack. Conti ransomware is human-operated “double extortion” software which threatens to expose data as well as encrypting it. It is understood that the group behind the cyberattacks operates from Eastern Europe and has already targeted high profile bodies such as the FBI and Interpol. Ireland’s prime minister, Taoiseach Micheál Martin, has already announced that the State will not be making any ransom payments to the hackers.
Efforts to restore and contain the HSE’s systems are ongoing with the HSE’s Chief Clinical Officer confirming on 17 May that the disruption will go on “well into this coming week”. It is expected that the attacks will cost the State “tens of millions” of euro to restore its systems fully. The attacks have had a significant practical effect on the country’s health service, with thousands of patients’ appointments having to be cancelled or rescheduled.
To date, neither the HSE nor the Department has clarity as to what and whose personal data was compromised by the attacks. Minister of State for Communications, Ossian Smyth, has warned that there is a risk that the affected data “may” be published by hackers. However, Mr. Smyth stressed that the HSE does not centrally process significant amounts of clinical patient data, meaning that much of the data accessed is likely to be administrative rather than sensitive patient personal data.
In addition to the time and expense being incurred by the HSE and the Department to restore their computer systems, it is likely that both bodies will find themselves subject to the scrutiny of Ireland’s data protection regulator, the Data Protection Commissioner. Furthermore, the bodies may find themselves at the receiving end of a spate of data protection court actions (pursuant to the Data Protection Act 2018) by affected data subjects, particularly where it is likely that at least some of the data involved relates to sensitive medical information.
The attacks are reminiscent of 2017’s infamous WannaCry ransomware attack which infected the IT systems of thousands of companies worldwide, including the UK’s NHS. There has been a marked increase in cyberattacks of this nature and cybercrime generally in the last 18 months, which would appear to be as a result of hundreds of thousands of businesses being forced to move fully online due to COVID-19. Indeed, Ireland’s Department of Justice and Equality had only recently published a timely report on Cybercrime, which addressed a range of topics including emerging threats posed by cybercrime and how best to respond to cybercrime attacks (a copy of the Department’s report can be found here.
It is difficult to overstate the seriousness of the impact of the attacks on the HSE and the Department with the ramifications likely to continue well into 2021 and 2022.The news of the attacks serve as a salutary reminder to all businesses to remain vigilant in relation to their online activity. It is imperative that all companies have robust cybercrime and cyber security training/policies in place to ensure that staff can identify and minimise the risk of a cyberattack occurring. Failure to do so could result in a costly lesson for businesses.
