Message demanding ransom found on Cork hospital’s private IT system

Mercy University Hospital gets injunctions restraining sharing or selling of stolen data

The orders were granted at the High Court on Tuesday by Ms Justice Siobhán Stack.
The orders were granted at the High Court on Tuesday by Ms Justice Siobhán Stack.

A Cork-based hospital has secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data believed stolen from its computer systems in cyberattack.

The orders were made in favour of the Mercy Hospital Cork against “persons unknown” responsible for accessing the hospital’s IT system, that is separate from systems operated by the Health Service Executive, and planting a ransomware note on it as discovered by the hospital on May 14th.

The orders, which are similar to those obtained by the HSE last week, also apply to any persons with knowledge of them.

The hospital has brought its own proceedings after ransom messages were found on its own private IT systems, including its radiology and emergency department’s systems.

READ MORE

Similar injunctive orders obtained by the HSE last week do not cover the hospital’s own private data, the court heard.

The orders were granted on Tuesday by Ms Justice Siobhán Stack, who also placed an embargo of 6.30pm on Tuesday on the reporting of the application to allow the hospital serve notice of the proceedings on the proposed defendants.

A ransomware note, demanding money, found on the hospital’s own private computer system included a link which purports to be a way to contact the hackers. The court heard that it is proposed to serve the proceedings on the unknown hackers via the link.

In a sworn statement to the court the hospital’s IT manager Peter O’Callaghan said like the HSE’s IT system, it was now apparent that the hospital’s own systems have been accessed and corrupted by hackers.

He said a ransomware note was found on their private computer systems. “YOU SHOULD BE AWARE! Just in case, if you ignore us. We’ve downloaded your data and are ready to publish,” it said.

The note also said the hospital files were currently encrypted by Conti ransom software and warned it not to use any recovery software, he added.

Seeking the orders, Brian Foley SC for the hospital said it had brought separate but similar proceedings from those launched by the HSE.

This is because any data taken from private systems within the hospital that are separate from the HSE would not be covered by the orders obtained by the HSE in its action. The hospital is a private voluntary hospital that hosts public patients and has access to HSE data.

‘Heinous action’

Mr Foley said that, as was the case with the HSE, the hospital discovered on May 14th that its own systems had also been subjected to a “heinous criminal action of accessing the hospital’s private data”.

There was “no possible defence to the proposed defendant’s actions,” he said.

The orders, he said, were needed mainly to prevent anything that is published on the darkweb from being published on sites hosted by internet service providers (ISPs).

Counsel said obtaining’s orders against those behind the cyberattack was “not a futile exercise”.

While there was not much of a reality to finding out who these persons are, a court order would ensure ISPs would take down and remove any data stolen from the hospital’s systems published on publicly accessible platforms or websites.

The orders prevent the intended defendants from selling, processing, publishing, sharing or making available to any member of the public the stolen HSE data, which includes private medical data of HSE patients.

They also restrain possession, transfer or disclosure of the information obtained from the HSE’s system without the HSE’s consent and require the “persons unknown” to identify themselves by providing names, postal addresses and email addresses.

The orders were sought in intended proceedings by the hospital which include claims for damages for breach of confidential information, fraud and deceit, conspiracy and conversion of the data which is believed to have been accessed by Russian-based hackers.

The case was adjourned to a date in July, with liberty to apply to bring the proceedings back before the court should the need arise.