[BreachExchange] HSE confirms data of 520 patients published online

Tue Jun 1 17:03:54 EDT 2021

https://www.irishtimes.com/news/crime-and-law/hse-confirms-data-of-520-patients-published-online-1.4578136

The Health Service Executive has confirmed that details relating to 520
patients, including sensitive information, were published online following
the ransomware attack two weeks ago.

This data leak was first reported by the Financial Times nine days ago. The
newspaper reported that 27 files, including personal records of 12
individuals, had been published by the criminals believed to be behind the
cyberattack.

However, the HSE has now said 520 patients are affected. Some corporate
documents including meetings and correspondence with patients have also
been published, it said.

It is the first time HSE has confirmed these documents came from its
servers.

“This data was the initial small tranche of data that was previously
reported on, and we are not aware of any further attempted publication of
our data,” the HSE said.

“We apologise for the inconvenience caused to our patients and service
users. The HSE is working with An Garda Síochána
<https://www.irishtimes.com/topics/topics-7.1213540?article=true&tag_organisation=Garda+S%C3%ADoch%C3%A1na>
on
this criminal investigation.”

In a statement, the HSE said a “news publication” recently wrote a story
saying it had seen HSE data which had been illegally accessed.

“We informed the publication of the court order we obtained in relation to
this matter last week and asked them to supply it to us, and they agreed.

“We have examined it and can confirm it is HSE data relating to approx 520
patients, as well as some corporate documents.”

The HSE’s data-protection office has notified the relevant health service
providers and the Data Protection Commission
<https://www.irishtimes.com/topics/topics-7.1213540?article=true&tag_organisation=Data+Protection+Commission>
(DPC),
it said.

“The process of notifying the patients involved has commenced. This will
involve some further analysis of the data, and we will do this as quickly
as possible.”

On Friday evening, the Garda urged anyone who has information or has been
affected by the publication of the material to contact their local Garda
station for assistance.

A DPC spokeswoman said it had not yet identified the notification from the
HSE about the privacy breach relating to the data on the 520 patients. This
may be down to the fact that the HSE was not using the usual channels to
report breaches due to the disruption to its IT systems, she said.

The gang behind the attack had threatened to publish or sell 700 gigabytes
of data by last Monday unless the HSE paid over €16.4 million. The
Government has said no ransom will be paid.

There has been no evidence of a mass publication of data since then,
although security sources warn it could take weeks to materialise,
especially if the data has been sold.

There has been a significant increase this week in reports of people
receiving phone calls from fraudsters attempting to extract money while
claiming to be from the HSE or Department of Social Protection.

However, there is currently no concrete evidence these fraudsters have
access to the stolen data. Garda sources said it is more likely they are
simply taking advantage of the situation.
‘Slow’ progress

Efforts are continuing to restore the HSE systems. Some systems are back
online but progress has been described as “slow”. The HSE has said the
cyberattack will end up costing at least €100 million.

The Defence Forces has provided six computer incident response teams to
support the HSE and its contractors in restoring systems around the country.

Meanwhile, the Commission on the Defence Forces has been warned Ireland’s
international reputation will be undermined unless the military’s cyber
capacity is adequately resourced.

The Irish Business and Employers Confederation (Ibec) called on the
Government to “resource and implement” the national cyber security strategy
which was published in 2019.

The business community views the Defence Forces as “a critical element of
Ireland’s economic infrastructure,” Ibec said, adding that Ireland’s
international reputation and capacity to attract investment would be
“undermined” unless the Defence Forces were adequately resourced and
supported.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210601/78bff875/attachment.html>