Ransomware: Patient data could be ‘abused’ after health service attack, warns Irish government

There is a risk that sensitive medical information and other patient data will be leaked in the aftermath of a serious ransomware attack against Ireland’s health services, the Irish government has warned. 

Condemning any public release by the attackers of stolen patient data as “utterly contemptible”, officials have urged anyone who is affected to contact the Health Service Executive (HSE) or the authorities. 

The HSE was the target of a “significant” ransomware cyberattack last week, which has caused country-wide disruptions to key healthcare and social services in hospitals and community centers.

SEE: Network security policy (TechRepublic Premium)

Ransomware is a form of malicious software deployed to encrypt a victim’s files, with the attacker then demanding a ransom in exchange for restoring access to the data.  

The HSE is working with Ireland’s National Cyber Security Centre (NCSC), and experts have already confirmed the attack as a human-operated ransomware variant known as “Conti”. A remote-access tool called Cobalt Strike Beacon was found on the HSE’s systems, which was used by the hackers to move within the computer networks before launching the attack and demanding a ransom. 

Conti deploys what are known as “double extortion” attacks, in which the hackers threaten to make the stolen information public if the ransom isn’t paid. In cases such as this one, it could mean that sensitive patient health data could end up leaked online. 

The Irish government has already confirmed that it will not give in to the attacker’s demands and prime minister Micheál Martin ruled out paying any ransom.  

“This attack on Ireland’s health care system and its patients was carried out by an international cyber-crime gang. It is aimed at nothing other than extorting money and those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen,” said the government in a press release. 

“There is a risk that the medical and other data of patients will be abused,” it added. 

The Garda authorities’ National Cyber Crime Bureau is investigating the exact origin of the hack together with international partners in the EU. Early reports from broadcaster RTE indicate that the gang behind the attacks is the eastern Europe-based “Wizard Spider” group. 

IT systems across the HSE, which were all immediately taken down as a precautionary measure to contain the attack, remain temporarily shut down. This means that some patients are seeing delays in access to care, notably as a result of very limited access to diagnostics, lab services and historical patient records. 

Emergency services as well as the national ambulance service are still running, and the HSE reported that vaccinations against COVID-19 and test-and-trace are operating. The most common impact of the attack is seen in radiology and laboratory systems. 

The HSE is working at speed to restore computer systems, which involves wiping, re-building and updating all the infected devices, before using offsite backups to restore the systems safely.  

SEE: Ransomware just got very real. And it’s likely to get worse

There are up to 2,000 systems to go through and around 80,000 devices to check, all connected to an IT infrastructure that has grown over the course of 30 years. In other words, it could be some time before the situation is fully resolved, and the HSE expects disruptions to continue well into this week. 

“Hundreds of people are working flat out in response to this despicable cyber attack on our health system and on patients. We’re focused on getting health services and appointments for patients back on track as quickly as possible,” tweeted Stephen Donnelly, the minister for health. “Some priorities include radiation oncology, diagnostics, lab services and patient admin systems.

“While it may take weeks to get all systems back, steady progress is being made, starting with services for the most urgent patients.” 

The country’s Department of Health (DoH) also reported an attempted cyberattack just one day before the HSE was targeted, but a combination of antivirus software and other tools deployed as part of an investigation by the NCSC enabled the attack to be stopped before it detonated. The aborted hack is believed to be part of the same campaign targeting the HSE, said the NCSC.