OVER 20 PEOPLE either uploaded or downloaded confidential information stolen in last month’s cyberattack on the HSE onto a web service provided by a Google-owned internet security firm, the High Court has heard.

Justice Tony O’Connor heard today that late last month approximately 27 files stolen from the HSE were downloaded onto a malware analysis service ‘VirusTotal’ which is owned and run by Chronicle Security Ireland Ltd and its US-based parent Chronicle LLC.

The stolen material included sensitive patient information including correspondence, minutes of meetings, and corporate documents, the HSE claims.

It has since been deleted from the service provided by Chronicle, whose ultimate parent is the internet giant Google. However, the HSE says that the material was downloaded 23 times before it was removed on 25 May last.

The defendants have said in correspondence that they want to assist the HSE as much as they can, but for data protection reasons cannot hand over material unless a court orders them to do so.

As a result, the HSE seeks what is known as a ‘Norwich Pharmacal’ order against the two companies requiring them to provide information about those who uploaded or downloaded the material in question.

The order would require the defendants to provide the HSE with the currently unknown persons’ email addresses, phone numbers, IP addresses or physical addresses.

In a sworn statement to the court the HSE’s National Director for Operation Performance and Integration Joe Ryan said last month it became aware of an article published by the Financial Times which referred to some stolen data, and a link used to access the stolen data online.

The HSE sought the return of the data referred to in the article and an explanation as to the location of the link referred to in the article.

Ryan said the FT indicated it had obtained the stolen data from a confidential source which it refused to reveal.

Following the cyber-attack, the HSE obtained a High Court order on 20 May that restrained any sharing, processing, selling or publishing of data stolen from its computer systems.

When the FT received a copy of the order the HSE obtained on 20 May it handed over the information obtained from the source to the HSE’s cyber security advisors, Ryan said.

Ryan said that following an analysis of the material received from the FT it was discovered that the stolen documents were uploaded on the defendants ‘Virustotal’ which is a service designed to screen documents to ensure they are virus free.

After contacting the defendants, Ryan said the stolen material was deleted from the ‘Virustotal’ platform.

He said that the HSE was also informed that before the material was removed a total of 23 subscribers to ‘Virustotal’ had downloaded the stolen data.

As part of its ongoing efforts against those behind the cyber-attack the HSE sought information about those persons, as well as any information on the parties that had uploaded the material on the service.

However, the HSE was informed that arising out of data protection concerns the defendants require a court order in order to comply with the request to deliver up the information sought, Ryan added.

Seeking the disclosure order Jonathan Newman SC, with Michael Binchy Bl for the HSE said that the matter was urgent.

Counsel said at this stage it is hoped that the order sought by the HSE could be finalised when the matter next comes before the court.

Counsel said Chronicle’s lawyers have said in correspondence that it is unlikely to oppose any order, in an agreed form, requiring it to disclose information sought by the HSE.

After considering Newman’s submissions Justice O’Connor, on an ex-parte basis, granted the HSE permission to serve short notice of the proceedings on the defendant companies.

The matter was made returnable to next Tuesday’s sitting of the court.