THE HSE WILL this month begin a data notification programme relating to the criminal cyber-attack on the health service in May 2021.
This programme will take several months, the HSE said, and around 113,000 patients and staff who had some of their personal information illegally accessed and copied during the cyber-attack will be notified by letter.
They will then have an opportunity to get advice and further support from the HSE.
The HSE said that due to the numbers of people involved, and the need to support each notification, this will begin later this month and continue in phases over the coming weeks and months.
Of the people being notified, 86% relate to patient data and 14% to staff data.
The HSE anticipates it will have contacted everyone by April 2023 or sooner.
“We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide,” Joe Ryan, HSE national director leading the programme, said.
“We have taken a thorough approach in responding, from the initial response, to the lengthy period of data review, and now the notification process,” Ryan said.
“We are sorry that this happened, and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests.”
Cyber-attack
The HSE was targeted by a criminal cyber-attack in May 2021.
The aim of this attack was to disrupt the health service and computer systems, illegally access and copy data, and demand a ransom for its return.
The cyber-attack was stopped once the HSE became aware of it. No ransom was paid by the HSE or the State.
The HSE said it has been monitoring the internet including the web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online. This excludes a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web.
The HSE obtained a High Court order on 20 May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.
Information accessed
The HSE said the cyber-attack continues to be an ongoing criminal investigation which limits the amount of detailed information it can share in the public domain in relation to the data that was accessed and copied.
However, it has said files that were illegally accessed and copied are wide-ranging and include a mixture of personal information, medical information and internal health service files. They include documents such as HR forms submitted by staff in relation to leave and a limited amount of financial information mainly relating to staff expenses.
For the most part, people will be notified that a limited amount of information relating to them was illegally accessed and copied.
Personal information includes information on spreadsheets such as names, addresses, contact phone numbers, email addresses. Medical information can include some medical records and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.
Due to the systems that were shared with the HSE at the time of the attack, Tusla and Children’s Health Ireland were also impacted and will be notifying people in the next phases.
Tusla will begin its own notification process to people affected in the coming weeks.
The HSE said it will continue to liaise with the Data Protection Commission and to work closely with its technical experts, An Garda Síochána and the National Cyber Security Centre.
To embed this post, copy the code below on your site
have your say