LAST UPDATE | 17 May 2021

THERE IS A risk that medical and other patient data affected by the ransomware attack on the HSE “will be abused”, the Government has warned. 

In a statement this evening, the government said: “These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data.”

Since the HSE announced on Friday that it had been the target of the ransomware attack, in which patient and staff data may have been compromised, the health and security arms of government have been scrambling to take control of the situation.

On Friday, the Master of the Rotunda Maternity Hospital announced on Morning Ireland that its IT system was down, and that it was operating by the “traditional”, paper-based system until further notice.

Minutes later, it was revealed that the issue affected the whole HSE patient system – and all national and local IT systems involved in transferring or storing data needed to be shut down as a precaution.

Around 86,000 computers have been turned off, and a security team are going through 2,000 systems within the HSE to decide what level of access has been gained in the attack. The HSE has said publicly that it is still unclear what data hackers gained access to, whether that be administrative data, patient data, or staff data.

The HSE’s IT systems were hit by a Conti ransomware attack, where attackers enter into a computer system, study how it works, and encrypt the private data before announcing their attack to the victim and demanding a ransom for it not to be published online.

This particular attack was carried out by an international cyber-crime gang, the Government said in a statement this evening. 

“It is aimed at nothing other than extorting money and those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen,” it said, adding: 

“These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data. The significant disruption to health services is to be condemned, especially at this time. 

“Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused. Anyone who is affected is urged to contact the HSE and Garda authorities.”

The Government said its main concern is to secure as speedy a resumption of all medical services “as can possibly be achieved, consistent with ensuring that the HSE’s systems can be safely and robustly restored”. 

There is currently hundreds of people deployed to tackle this attack in accordance with the predetermined plan for such cyber attacks, according to the statement.  

Minister for Justice Heather Humphreys today met with the Garda Commissioner and the head of the Garda Cybercrime Bureau Chief Superintendent Paul Clearly in relation to the attack.

Garda Commissioner Drew Harris informed Humphreys that An Garda Síochána is providing its full support to the National Cyber Security Centre, which is leading the State response to the attack, and is also liaising and cooperating with international law enforcement partners. 

Taoiseach Micheál Martin, Tánaiste Leo Varadkar, Transport Minister Eamon Ryan, Justice Minister Heather Humphreys, Health Minister Stephen Donnelly and Minister of State for Communications Ossian Smyth also met this afternoon to discuss the attack. 

Tomorrow morning, the Oireachtas Transport and Communications Networks committee will hear from officials from the Department of Communications and the National Cyber Security Centre after requesting an “immediate meeting”.

TDs and Senators will raise issues such as how the breaches occurred, the strategy in place to fully repel the attacks and timescale involved for the resumption of normal operations.

As with all security issues, information about the exact amount being sought is scarce and muddled: particularly around what data the hackers have gained access to, and what ransom amount has been sought by hackers.

Ransom speculation

Reports in Sunday newspapers yesterday indicated that hackers may have had access to the HSE system up to two weeks before a ransom was demanded, and reported widely varied ransom amounts being demanded.

The Business Post reported that the hackers demanded three bitcoin or $150,000, while others cited $20 million – a figure first reported by tech website Bleeping Computer.

Neither amounts have been confirmed as accurate by the HSE or Government.

What services are affected

The main crux of the problem for the HSE is that its core patient system, and its radiation diagnostic system ‘Nimis’, are down.

Yesterday on Newstalk’s On The Record, HSE Chief Operations Officer Anne O’Connor gave a general overview of what had been cancelled, including: X-ray appointments, paediatric services, and hospital outpatient appointments in the west were more severely affected.

O’Connor said that the voluntary hospitals – including the Mater, Beaumont, James’, Vincent’s, Tallaght, Mercy and South Infirmary – operate on a different IT system, so that they were impacted, but not as severely.

Beaumont and Connolly appointments are also going ahead, but similar to the voluntary hospital, radiology is still affected. 

Hospitals in the West – Donegal, Sligo, Mayo, and Galway – have cancelled all outpatient appointments; if your appointment is proceeding they will contact you, O’Connor added. The same is the case with children’s health appointments: Crumlin, Temple Street, and Tallaght have cancelled appointments.

Almost all radiation appointments, including X-ray, MRI, and CT scans, have been cancelled, as computers are needed to assess scans.

At Mercy University Hospital in Cork, the ongoing cyber attack has caused “considerable delays” in the emergency department and has affected outpatient services. All radiology OPD appointments and the processing of GP urgent bloods have been cancelled for the remainder of the week. Any patients with an appointment between now and 21 May are urged to contact the hospital to reconfirm their appointment.

The Covid-19 vaccination programme and testing regime is largely unaffected, as it is a newer, separate IT system. 

O’Connor said that there was a risk for the HSE in treating patients with a purely paper-based system.

We can’t order lab tests or radiology electronically. So normally, if you’re in a hospital, it’s all done through computers, and results come back. So for anybody coming in, its back to manual, hand-written notes. We have people in hospitals delivering pieces of papers with lab results, so it really is going back many, many years. There’s a risk with that.

Our priority has got to be to get a patient system back that gives us access to people’s information. So even things like blood transfusions, matching bloods, looking at previous records with medications, allergies, etc – we don’t have access.

The child and family agency Tusla has also been impacted by the attack. Over 90% of the agency’s connectivity, databases and operating systems are on the HSE platform. 

Related Reads

HSE won't comment on ransom figure, as other departments take precautions after cyber attack

'Safe and steady' progress made as HSE attempts to regain control of IT system

HSE confirms ransom has been sought over cyber attack but says it will not be paid

Speaking to RTÉ’s News at One today, Tusla CEO Bernard Gloster explained that the agency’s main casework in child protection, welfare and children in case work is hosted on the National Childcare Information System (NCIS). 

“All the case management information is on that system and that system is currently not available to us. It was switched off as part of the HSE containment, correctly, on Friday morning,” Gloster said. 

Gloster said Tusla has about 20,000 cases open between child protection, welfare and children in care. Those case files are located on the NCIS system, and as a result, are not currently available to Tusla. 

“We can do a significant amount of our work today in terms of engaging with the public, but in terms of having all of the necessary information, the tools to do that, we are quite limited,” he said. 

Anyone who wishes to make a referral about a child can currently do so by contacting local Tusla offices, phone numbers for which are located on the agency’s website. 

People having difficulty locating a phone number of a local Tusla office can call the main office number on 01 771 8500.

What progress has been made

The HSE’s website page of what health services are still available at what hospitals will be updated every hour.

The statement from Government this evening said: “The HSE is continuing the make the necessary arrangements in the interim to provide the maximum possible availability of services to patients across the State. 

“While the process will, inevitably, take some time, the HSE and its partners are working to ensure that the maintenance and restoration of care for patients can progress in the coming days.” 

HSE CEO Paul Reid said on Morning Ireland today that progress had been made over the weekend in going through all of the HSE’s systems and clearing them out one by one. 

He said it would cost “tens of millions” to fix and rebuild the HSE’s IT system from ‘clean’, back-up data. Even after all systems are cleared, it’s possible that hackers could publish any data they obtained if a ransom is not paid.

He said that the capacity of private hospitals will be used, particularly in oncology, to ensure that patients continued to receive the care they needed.

“The risks increase every day as we progress, it’s having very serious impact on people and has very severe consequences for us,” he said, adding that it would impact the HSE “well throughout this week”. 

When asked whether private information could be published online by the hackers, Reid said “that’s what these organisations set out to do”. 

Everything we’re doing since we became aware of this on Friday is setting out to mitigate that, to rebuild our services, to reassess what has been accessed, what may have been accessed, taking back security – but it’s a really difficult process we’re in.