Tusla to inform 20,000 people their data was stolen during 2021 HSE cyberattack

Child and family agency says stolen data has not been published on the dark web to date

Tusla said names, addresses and case files were among the documents accessed in the data breach. Photograph: Matej Moderc
Tusla said names, addresses and case files were among the documents accessed in the data breach. Photograph: Matej Moderc

Tusla, the child and family agency, is to contact approximately 20,000 of its clients and a small number of employees whose details were illegally accessed and copied during the cyberattack on the HSE in May 2021.

The notification programme, which has commenced, will take until November of this year to complete. Tusla was also affected by the cyberattack as the HSE provides it with IT services.

In a statement Tusla said there is no evidence that any of the information stolen by cyber criminals has been published on the dark web or elsewhere.

Tusla said names, addresses and case files were among the documents accessed in the data breach. Those affected will receive a registered letter and will have the choice of either meeting face to face with a case worker or going directly to a portal to access their personal information that was affected, should they wish to do so.

READ MORE

At the end of December 2021, An Garda Síochána provided Tusla with a copy of the files that were illegally accessed and copied. The agency reviewed the files to identify individuals affected, in accordance with GDPR guidance, and guidance from the Data Protection Commission (DPC).

Tusla’s director of services and integration Kate Duggan sought to reassure its clients and staff that none of the data has been involved in scams or other fraudulent activity to date.

She said Tusla intends to apologise to every person affected by the data breach.

“We have worked hard to create a process that is transparent, empathetic and supportive for those who have been affected, and we will offer each person we write to the choice to call our dedicated team for support and guidance, or, to meet face-to-face with a case worker, should they wish to do so,” Ms Duggan said.

“We acknowledge that it has taken some time for the commencement of this notification programme, however it was crucial that each record that was affected by the cyberattack was carefully reviewed to identify the people affected.

“We also have to ensure that letters are being sent to verified addresses. Notifications will continue over the coming months, and we ask for understanding and patience as we continue to work through this complex process.”

If a person receives a notification letter from Tusla it will contain instructions on what to do next. If a person does not receive a letter, they do not need to contact Tusla or do anything at this time.

Cost of HSE cyberattack rises to €80m, letter showsOpens in new window ]

At the time of the cyberattack, the HSE provided IT services to Tusla. Tusla and the HSE secured a High Court order to restrain any sharing, processing, selling, or publishing of data stolen as part of the cyberattack. The DPC was also notified.

IT systems that support Tusla services were restored by the end of June 2021 and much of its IT infrastructure has since completed a migration to Tusla-owned and secured systems.

At the start of 2022 Tusla commenced a €13 million investment in cybersecurity infrastructure, across device, email, and network security.

Ronan McGreevy

Ronan McGreevy

Ronan McGreevy is a news reporter with The Irish Times