Cyber Attack

HSE begins notifying 113,000 people whose information was accessed during 2021 cyber-attack

Those who had some of their personal information illegally accessed will be notified by letter over the coming months.

THE HSE HAS begun notifying people whose information was illegally accessed during the criminal cyber-attack on the health service last year. 

A phased notification process will take place over the coming months due to the numbers of people involved.

Around 113,000 people who had some of their personal information illegally accessed and copied during the cyber-attack will be notified by letter. Of those, around 94,800 are patients and around 18,200 are staff.

Of the staff impacted, a smaller group of around 850 HSE staff members will also be contacted in the first stages in relation to staff travel expense claims’ data that contained some limited financial details. 

People being notified will receive a letter telling them what part of their personal information was impacted. The HSE will also be apologising in the letters to the people being notified that this happened. 

The letter will also outline how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied.

This can be done via a portal on the HSE website or by post. Those who wish to view the documents will need a proof of ID, like a passport or driving licence.

The health service said that those who do not get a letter do not need to contact the HSE or do anything.

Due to systems that were shared with the HSE at the time of the cyber-attack, Tusla and Children’s Health Ireland were also impacted.

Both Tusla and Children’s Health Ireland will be notifying people in the next phases of their respective processes, the HSE confirmed. 


In May 2021, the HSE was targeted by a criminal cyber-attack, the aim of which was to disrupt the health service and computer systems, illegally access and copy data, and demand a ransom for its return.

The cyber-attack was stopped once the HSE became aware of it. No ransom was paid by the HSE or the State.

The attack resulted in the HSE having to close down its all of its IT services, causing widespread delays and the cancellation of appointments at hospitals across the country.

The HSE said it has been monitoring the internet including the dark web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online.

This excludes a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web.

It added that it will immediately act if they see evidence of the data being published or used.

“As a result of our extensive monitoring and support from security services, we have seen no evidence that personal data relating to the HSE cyber-attack has been shared or used fraudulently,” Joe Ryan, the HSE National Director leading the notification programme, said today.

“We are very sorry that this occurred and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests,” he said.

“This notification process is an important duty for the HSE, as we held people’s personal data, and through this cyber-attack on HSE systems, that information was compromised.”

The HSE obtained a High Court order on 20 May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems.

This remains in place to prevent anyone using any of the illegally accessed and copied information.

The cyber-attack continues to be an ongoing criminal investigation which limits the amount of detailed information the HSE can share in the public domain in relation to the data which was illegally accessed and copied, or the details of sites affected.

Ryan added that the HSE anticipates it will have contacted everyone affected by April 2023 or sooner.

“We expect the notification process will take a number of months to complete, as we take the time to contact each person, ensure we have a secure communication with them, and go through the process of assisting them if they want to make a request to view their documents,” he said.

“We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide. We have taken a thorough approach in responding, from the initial cyber-attack to the lengthy period of data review and verification, and now the notification process.”

Reducing risk

The HSE said it has seen no evidence that any scams have taken place as a result of the cyber-attack, but added that scams and attempted fraud are common.

It is reminding people that the HSE or a bank will never phone, text, email or video call anyone unexpectedly asking for bank details, and that they should never give bank details, passwords or personal details if it seems a bit odd or out of the blue.

It said that people should not engage with anyone who contacts them saying that they have their PPS number.

The HSE also advised people not to engage or provide any person information to anyone who might contact them claiming to have their personal health information details or their bank account details. 

Anyone who believes they are the victim of a cybercrime or of potential fraud is advised to take screenshots of the texts or emails and to contact their local Garda Station.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel