Irish Healthcare Ransomware Hack Cost Over 80 Million EurosVictims Still Learning Their Personal Data Was Illegally Accessed, Copied in 2021
A ransomware attack on the Irish healthcare system in 2021 has caused 80 million euros in damages and counting as the government continues to notify victims of the incident that their personal information was illegally accessed and copied.
Costs totaled 42 million euros during 2021 and 39 million euros this year through October, Irish Health Service Executive interim Chief Information Officer Fran Thompson said in a letter to an opposition member of Parliament, The Irish Times reported. The member, Aontú Party leader Peadar Tóibín, has been critical of government officials, accusing them of "negligence in their duty of care for patients' health and their data."
HSE's effort to contact individuals whose personal data was potentially exposed following the hack contributed to the mitigation costs. The health system is still contacting the approximately 113,000 individuals whose data may have been stolen during the attack - 94,800 patients and 18,200 staff. Investigators say they have been unable to conclusively determine whether attackers exfiltrated data, although some health system data appeared on the dark web.
Russian ransomware group Conti claimed credit for the spring 2021 attack that began when the attackers sent a phishing email with a malicious Microsoft Excel file attached and ended with nearly 80% of HSE data under malicious encryption, including medical and banking data.
The incident forced the national health service provider to shut all its IT systems serving healthcare facilities throughout Ireland (see: Ransomware Gang Provides Irish Health System With Decryptor).
An assessment of the attack commissioned by the HSE Board and prepared by PwC found that the health service lacked a senior executive responsible for cybersecurity. The review faulted the service for lack of security monitoring and an effective patching program. The health service's cybersecurity program essentially consisted of "a single antivirus product that was not monitored or effectively maintained with updates across the estate," the assessment says.
The antivirus signatures for the workstation that was initially infected by Conti attackers had not been updated for more than a year.
The health service obtained a High Court order after the attack, prohibiting the sharing, processing, selling or publishing of data illegally accessed from it.