More than 100,000 people who had their personal data stolen during the HSE cyberattack last year will begin being contacted by the service in the coming weeks, The Irish Times has learned.
The health service is expected to start contacting people this month, opening the way to further controversy surrounding the attack, and the risk of litigation arising from it.
For the majority of the people impacted, the data concerned is less sensitive but sources conceded for a smaller subset the hacked information contained more sensitive details. The HSE has been engaged in a months-long process reviewing the data, as well as analysing how far it has spread, and engaging with the Data Protection Commissioner.
The expectation is that people will be contacted on a staggered basis. The HSE has used servers with copies of the data obtained by the Garda to carry out widespread monitoring. A spokesman for the HSE said that it has “been monitoring the internet, including the dark web since the cyberattack, and has seen no evidence at this point that the illegally accessed and copied data has been published online or used for any criminal purposes”.
“The HSE is taking every step necessary to minimise the impact of this data breach and to safeguard individuals’ personal data against any future unauthorised activity,” the spokesman said, adding that experts continue to monitor for any signs of illegally accessed information and “we will act immediately if they see any evidence of this”.
The majority of those impacted are HSE service users but some staff members are also included – which could run into the thousands. Tusla, the child and family agency, has previously indicated it had data stolen as well, and it is expected other entities were also impacted but will not be included in the HSE notification process, meaning the total number of people affected is likely to be higher still.
The HSE board earlier this year discussed the potential for litigation arising from the hack, and the merits of establishing a scheme for managing claims.
When the hack was discovered, the HSE shut down huge swathes of its systems to control the incursion, and obtained a High Court order in the following days preventing any sharing, processing, selling or publishing of the data, which remains in place.
The cyberattack has cost the HSE almost €100 million so far, according to a report by the Comptroller and Auditor General (C&AG) released in September. However, this is expected to rise further, while consultants have estimated there will be a need for an additional €657 million for cybersecurity improvements.
The emergence of the number of people affected, and the plan to begin contacting them in the weeks ahead, is also likely to bring renewed focus on the HSE’s cybersecurity systems in place before the attack took place. A PwC report commissioned by the HSE after the attack found that it was operating on a “frail IT estate with an architecture that has evolved rather than be designed for resilience and security” and that there was an over-reliance on legacy systems.
The C&AG said the report found that the HSE’s system had a “flat” nature that “exposed the HSE to the risk of cyberattacks from other organisations connected to the network as well as exposing other organisations to cyberattacks originating from the HSE network”. It found that the computers were monitored for viruses during daytime hours only.
The HSE had flagged cybersecurity weaknesses in its own annual financial statements in 2019, 2020 and 2021.
The attack led to many thousands of medical appointments being cancelled and forced hospitals to run, in some instances, on paper records. Officials also blamed the attack in part for longer waiting lists.