Patient files online ‘very likely’ shared by gang targeting HSE

Gardaí caution against assuming link between HSE cyberattack and call to Tipperary patient

The Garda said there was “a risk that the medical and other data of patients will be abused, either for fraud or by means of public release”.  Photograph: Getty Images
The Garda said there was “a risk that the medical and other data of patients will be abused, either for fraud or by means of public release”. Photograph: Getty Images

Gardaí were on Wednesday night trying to establish if Irish patient details shared on the “darknet” this week were files that came from the cyber attack on the HSE, but they believed it was “very likely” the same gang was involved.

Separately, The Irish Times has confirmed a Co Tipperary GP has made a report to gardaí about a patient being contacted, unsolicited by phone, by a foreign medical company, who knew what procedure the patient was waiting for. The company offered to perform the medical procedure much faster than the Irish health service could.

The matter was raised by Labour Party leader Alan Kelly TD on Wednesday when he told the Dáil the caller from the foreign healthcare provider somehow knew all of the patient's confidential medical details. Mr Kelly linked this to the first leaking of documents accessed during the HSE attack.

Garda sources said that while they were investigating the claims, no evidence had been uncovered to date to suggest there was a link between the call to the man in Co Tipperary and the HSE cyber attack. The same sources cautioned against making assumptions.

READ MORE

Mr Kelly told the Dáil about the Co Tipperary case, saying if this was happening across the country “we have a big problem”.

The Labour TD also highlighted a report in the Financial Times on Wednesday which said that 27 files of 12 people that included lab results and permission records had been published on the darkweb.

Mr Kelly asked what people were meant to do, and called for a clear outline of the procedure to follow.

Criminality

Taoiseach Micheál Martin said it was a “despicable thing to do, to engage in theft of people’s medical records”, adding “we cannot become engaged in rewarding this type of criminality”.

The Irish Times asked Mr Kelly to provide further details about the Co Tipperary case but did not receive a reply.

When contacted for comment, Garda Headquarters in the Phoenix Park, Dublin, said the force "does not comment on unverified content on social media or provide specific commentary on any ongoing criminal investigation".

It added that the Garda was “working actively with international partners” to pursue “every avenue available in investigating those responsible” in the attack on the HSE.

The Garda National Cyber Crime Bureau is leading the criminal investigation in co-operation with the National Cyber Security Centre and the HSE.

The Garda said there was “a risk that the medical and other data of patients will be abused, either for fraud or by means of public release”.

Criminal groups involved in ransomware attacks, it said, “habitually release stolen information as a means of pressurising organisations into paying a ransom”. Garda investigators were working to assess any leaked material to verify it and to limit the exposure of personal data online.

Documents

Detectives working on the Garda investigation into the HSE attack believe it is very likely that the small number of heavily redacted documents that have been shared on the darknet represent a fraction of the material accessed by the Russian-speaking ransomware gang during its attack on the HSE.

Gardaí suspect the files were shared in a bid to put pressure on the HSE and the Irish Government to pay a ransom under threat that all of the files and documents accessed would be shared publicly in the same way or sold to other criminals.

Some of the redacted documents related to patients based in the Munster area and include forms that contain all of the patients' personal details, information about their medical history and the medical professionals treating them.

Other documents appear to be commercial in nature, and relate to contracts between the HSE and some of the suppliers and other partners it works with.

Furthermore, both Garda sources and professionals working on the cyber security field believe the HSE’s IT systems may take a year or more to recover.

They said if personal information was sold to criminals involved in fraud, they could use it as leverage to carry out frauds for years.

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times

Cormac McQuinn

Cormac McQuinn

Cormac McQuinn is a Political Correspondent at The Irish Times