| 15.1°C Dublin

Cyber attack HSE CEO Paul Reid tells High Court all data 'is potentially compromised', as injunctions secured

The orders are against “persons unknown” responsible for accessing the HSE’s IT system and planting a ransomware note on it as discovered by the HSE on May 14


HSE boss Paul Reid

HSE boss Paul Reid

HSE boss Paul Reid

The HSE has secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data stolen from its computer systems in cyberattack.

The orders are against “persons unknown” responsible for accessing the HSE’s IT system and planting a ransomware note on it as discovered by the HSE on May 14. They also apply to any persons with knowledge of them.

HSE CEO Paul Reid told the High Court all of its data “is potentially compromised” following the massive cyber-crime attack.

In an affidavit, Mr Reid said full recovery of the HSE’s IT systems is likely to take several weeks and the overall impact of the disruption on the HSE and patient care here “cannot be overstated”.

Mr Justice Kevin Cross said he was satisfied to make the orders sought over hacking undertaken for a “particularly heinous form of blackmail”.

At this juncture, it is understood the attack was conducted by the Conti international cyber-crime gang and he was advised it is “highly likely” data has been stolen. An investigation is continuing to determine the extent of the theft.

This is of “grave concern” to the HSE given the potential and imminent risk of publication of confidential medical and personal data relating to individuals contained on the HSE database, according to Mr Reid.

That database contained data which could be categorised under three headings – 1) Clinical, laboratories, diagnostics, oncology; 2) patient administration such as medical cards and administration systems and; 3) corporate (payroll, HR, finance).

“All of this data is potentially compromised,” said Mr Reid.

His affidavit was provided to the court when the HSE applied for orders, granted by Mr Justice Kevin Cross, retraining persons unknown, and any persons with knowledge of the orders, sharing, selling, publishing, processing or otherwise dealing with the data without consent of the HSE.

Mr Reid said, on learning of the attack on May 14, the HSE decided to shut down the IT systems across the health service to protect it from the attack and give it time to assess the situation.

There are some 2,000 information and communications technology (ICT) systems, each supported by infrastructure, multiple servers and devices. A rigorous process of assessment and recovery of those is underway and some 80,000 devices need to be checked, requiring significant resources

Sunday World Newsletter

Sign up for the latest news and updates

This field is required This field is required

The attack and consequential shutdown of the HSE’s IT systems has had a signifcant impact on hospital appointments and systems and there continues to be major disruption across the country, he said. There is particular impact on radiology, radiotherapy and laboratory systems and essential services such as blood tests and diagnostic services are taking much longer to turn around than usual. Cervical screening appointments were postponed this week.

The immediate focus is to get priority systems back online as quickly as possible, including maternity and infant care, radiology and diagnostics, chemotherapy, radiotherapy and lab services but full recovery is expected to take weeks to achieve, he added.

Fran Thompson, interim Chief Information Officer of the HSE, said on the day in question a call was logged about 2.50am with his office to report the patient management systems and printers were unavailable at St Luke’s Hospital.

At 3am, Our Lady’s Hospital advised their systems were also down. On investigation, a ransomware note was discovered on a personal computer at the latter hospital. At 3.22am, multiple sites were reporting multiple issues across multiple systems.

At 4.41am, a critical incident was declared and the critical incident process was commenced. It was decided to implement a “Contain” phase and all systems were shut down. Initial reports indicated a human-operated ‘Conti’ ransomware attach had severely disabled a number of systems.

Mr Thompson said he is aware of a number of other ransom requests reported upon in the media but cannot yet say whether those other request are from the perpetrators of the HSE attack as copycat ransom notes from other persons are not unusual.

As well as threats to publish the HSE data, he was also aware of reports of samples of files being offered by the Contilocker team for the purpose of seeking to demonstrate they hold HSE data. He believed it is “more likely than not” those samples derive from the hacking of the HSE system.

As there will be no payment made by the HSE to those responsible, he believed there is a “very real and serious” risk the attackers will publish data and information obtained by them for their own unlawful purposes.

The primary reason why the court orders are being sought is so they will enable the HSE to put information service providers such as Google and Twitter on notice of the prohibition on the dissemination of such information, leading to swifter and more comprehensive removal of any such information if efforts are made to use those providers systems to publish it.

In his ruling on the substantive application, the judge said, while the HSE’s application was legally unusual as the courts here generally do not make orders against persons unknown, he was satisfied there is no legal impediment to how the proceedings were constituted. He was also satisfied the orders are necessary and the relevant criteria for them had been met.

It is clear, “as the world knows”, there has been a substantial hacking of the HSE undertaken by anonymous sources for the purposes of blackmail, “always the remedy of a coward”, he said.

This was a “particularly heinous” form of blackmail where those responsible were seeking to put pressure on the HSE and the authorities to give in to the blackmailers demands, including by hoping patients with sensitive medical data stored on the HSE system will add to those pressures.

The consequences of the blackmailers actions are “particularly cruel” at this time of a worldwide pandemic which is putting strain on the ability of the HSE and other agencies to treat patients, including some suffering from serious and life threatening conditions.

In this situation, it would be “inconceivable” and “a cause of scandal” if the law was impotent or tied by excessive rules from attempting to stop this “outrage”, he said.

Download the Sunday World app

Now download the free app for all the latest Sunday World News, Crime, Irish Showbiz and Sport. Available on Apple and Android devices