The Health Service Executive has confirmed that details relating to 520 patients, including sensitive information, were published online following following the ransomware attack two weeks ago.
This data leak was first reported by the Financial Times nine days ago. The newspaper reported that 27 files, include personal records of 12 individuals, had been published by the criminals believed to be behind the cyberattack.
However, the HSE has now said 520 patients are affected. Some corporate documents including meetings and correspondence with patients have also been published, it said.
It is the first time HSE has confirmed these documents came from its servers.
“This data was the initial small tranche of data that was previously reported on, and we are not aware of any further attempted publication of our data,” the HSE said.
"We apologise for the inconvenience caused to our patients and service users. The HSE is working with An Garda Síochána on this criminal investigation."
In a statement, the HSE said a “news publication” recently wrote a story saying it had seen HSE data which had been illegally accessed.
“We informed the publication of the court order we obtained in relation to this matter last week and asked them to supply it to us, and they agreed.
“We have examined it and can confirm it is HSE data relating to approx 520 patients, as well as some corporate documents.”
The HSE's data-protection office has notified the relevant health service providers and the Data Protection Commission (DPC), it said.
“The process of notifying the patients involved has commenced. This will involve some further analysis of the data, and we will do this as quickly as possible.”
On Friday evening, the Garda urged anyone who has information or has been affected by the publication of the material to contact their local Garda station for assistance.
A DPC spokeswoman said it had not yet identified the notification from the HSE about the privacy breach relating to the data on the 520 patients. This may be down to the fact that the HSE was not using the usual channels to report breaches due to the disruption to its IT systems, she said.
The gang behind the attack had threatened to publish or sell 700 gigabytes of data by last Monday unless the HSE paid over €16.4 million. The Government has said no ransom will be paid.
There has been no evidence of a mass publication of data since then, although security sources warn it could take weeks to materialise, especially if the data has been sold.
There has been a significant increase this week in reports of people receiving phone calls from fraudsters attempting to extract money while claiming to be from the HSE or Department of Social Protection.
However, there is currently no concrete evidence these fraudsters have access to the stolen data. Garda sources said it is more likely they are simply taking advantage of the situation.
‘Slow’ progress
Efforts are continuing to restore the HSE systems. Some systems are back online but progress has been described as “slow”. The HSE has said the cyberattack will end up costing at least €100 million.
The Defence Forces has provided six computer incident response teams to support the HSE and its contractors in restoring systems around the country.
Meanwhile, the Commission on the Defence Forces has been warned Ireland’s international reputation will be undermined unless the military’s cyber capacity is adequately resourced.
The Irish Business and Employers Confederation (Ibec) called on the Government to “resource and implement” the national cyber security strategy which was published in 2019.
The business community views the Defence Forces as “a critical element of Ireland’s economic infrastructure,” Ibec said, adding that Ireland’s international reputation and capacity to attract investment would be “undermined” unless the Defence Forces were adequately resourced and supported.