VirusTotal ordered to reveal private info of stolen HSE data downloaders

An Irish court has ordered VirusTotal to provide the information of subscribers who downloaded or uploaded confidential data stolen from Ireland’s national health care service during a ransomware attack.

In May, Ireland’s HSE, the country’s publicly funded healthcare system, was the target of a Conti ransomware attack that caused massive disruption of IT systems after devices were encrypted.

As part of this attack, Conti claimed to have stolen 700GB of data that allegedly included patient and employee info, contracts, financial statements, payroll, and more.

To prove the data theft, the Conti gang posted a link to a file in their ransomware negotiation chat that they said contained samples of the stolen data.

Stolen HSE data uploaded to VirusTotal

According to FT.com, this sample of stolen data consisted of 27 stolen HSE files containing patient data, which was subsequently uploaded to the VirusTotal malware scanning site.

“The 27 files include personal records of 12 individuals. One file reviewed by the FT includes admission records and laboratory results for a man who was admitted to hospital for palliative care,” reported FT.com.

“The broad details in that file matched a subsequent death notice seen by the FT.”

In addition to scanning files, VirusTotal acts as a repository of uploaded files allowing subscribers to search for and download files to analyze for their own security research or improve their security software.

However, once a file is uploaded to VirusTotal, it would allow any other subscriber to download and view the confidential data.

After the Irish courts issued an injunction requiring anyone who possessed the stolen data to return it to HSE, FT returned the data but refused to share the source who provided them the samples.

On Tuesday, the High Court of Ireland has issued an order requiring Chronicle Security Ireland and Chronicle LLC, the owners of VirusTotal, to hand over the private information of subscribers who downloaded or uploaded the HSE data.

The private information includes email addresses, phone numbers, IP addresses, or physical addresses

According to TheJournal, the file containing the stolen data was downloaded 23 times from VirusTotal before the service removed it on May 25th.