Medicine:Health Service Executive cyberattack
Date | 14 May 2021 |
---|---|
Location | Republic of Ireland |
Type | Cyberattack, ransomware using Conti |
Target |
|
Outcome |
|
Suspects | Wizard Spider, ContiLocker Team |
On 14 May 2021, the Health Service Executive (HSE) of the Republic of Ireland suffered a major ransomware cyberattack that caused all of its IT systems nationwide to be shut down.[1][2][3][4]
It was the most significant cybercrime attack on an Irish state agency.[5] Bloomberg News reported that the attackers used the Conti ransomware.[6] The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Russia.[7][8][9] The same group is believed to have attacked the Department of Health with a similar cyberattack.
On 19 May, the Financial Times reviewed private data for twelve individuals which had appeared online as a result of the breach, with admission records and test results present in one case.[10]
Background
The HSE was alerted to the attack at 4am on 14 May 2021.[11] The attack affected both national and local systems, involved in all core services, with the HSE taking down their IT system in order to protect it from the attack and to give the HSE time to consider options.[12]
The COVID-19 vaccination programme was not affected by the attack and proceeded as planned,[6] however the COVID-19 general practitioner and close contact referral system was down, requiring these individuals to attend walk-in sites rather than attend an appointment.[13][1]
The independent TD Cathal Berry stated that the National Cyber Security Centre which is responsible for the state's cyber security, had only 25 members of staff, a budget of €5 million a year, no dedicated premises, and that its position of Director had been vacant for a year due to its salary of €89,000 a year.[14][15] The National Cyber Security Centre is under the remit of the Department of the Environment, Climate and Communications.[16]
Perpetrator & methodology
The attack was described as "human-operated" that used a new variant of the Conti ransomware.[11]
The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.[7][8][9]
Impact
The ransomware cyber attack has had a significant impact on hospital appointments across the country, with many appointments cancelled including all outpatient and radiology services.[17]
Several hospitals described situations where they could not access electronic systems and records and had to rely on paper records.[18] Some have warned of significant disruption with routine appointments being cancelled, including maternity checkups and scans.[19]
The COVID-19 testing referral system was made offline, requiring individuals with suspected cases to attend walk-in COVID-19 testing centres, rather than attend an appointment.[13] The COVID-19 vaccination registration portal was also made offline, but was later back online in the evening.[20]
The Chief Operations Officer of the HSE – Anne O'Connor – said that some cancer and stroke services had been affected and that "the situation will be very serious if it continues into Monday". She said that the most serious concerns were with diagnostics, with radiology systems having gone down, affecting CT and other scans from going ahead.[21] A large amount of out-patient appointments were also cancelled; most community health services are unaffected.[22] O'Connor also reported that "we don't know what data has been taken", but "we know some data has been compromised", with the Data Protection Commissioner being alerted to the potential breach.[23]
The HSE published a list of affected services on its website at lunchtime on 14 May 2021.[24][25]
On 19 May, the Financial Times reviewed "samples" of private data of twelve individuals that was published online, including admission records and laboratory results for a man admitted to hospital for palliative care. In response, the National Cyber Security Centre stated criminal gangs "habitually release stolen information as a means of pressurising organisations into paying a ransom". The ContiLocker Team claimed to also have staff employment contracts, payroll data and financial statements, patient addresses, and patient phone numbers.[10]
Hospital disruptions
County | Hospital |
---|---|
Carlow | St. Luke's General Hospital |
Cavan | Cavan General Hospital |
Clare | Ennis General Hospital |
Cork | Cork University Hospital Cork University Maternity Hospital |
Donegal | Letterkenny University Hospital |
Dublin | Beaumont Hospital Children's Health Ireland at Crumlin Coombe Hospital National Maternity Hospital Rotunda Hospital Royal Victoria Eye and Ear Hospital St. Columcille's Hospital St. James's Hospital St. Luke's Hospital Children's Health Ireland at Temple Street Tallaght University Hospital |
Galway | University Hospital Galway Merlin Park University Hospital Portiuncula University Hospital |
Kerry | University Hospital Kerry |
Kildare | Naas General Hospital |
Kilkenny | Kilcreene Orthopaedic Hospital |
Laois | Midland Regional Hospital, Portlaoise |
Limerick | University Hospital Limerick St. John's Hospital, Limerick University Maternity Hospital, Limerick Croom Hospital |
Louth | Louth County Hospital Our Lady of Lourdes Hospital, Drogheda |
Mayo | Mayo University Hospital |
Meath | Our Lady's Hospital, Navan |
Monaghan | Monaghan Hospital |
Offaly | Midland Regional Hospital, Tullamore |
Roscommon | Roscommon University Hospital |
Sligo | Sligo University Hospital |
Tipperary | South Tipperary General Hospital Nenagh Hospital |
Waterford | University Hospital Waterford |
Westmeath | Regional Hospital Mullingar |
Wexford | Wexford General Hospital |
Response
The HSE is working with the National Cyber Security Centre, An Garda Síochána, Irish Defence Forces, as well as various partners domestically and internationally, including Europol and Interpol.[11][26]
The Minister of State for Public Procurement and eGovernment – Ossian Smyth – said that the attack was international, not espionage, and that "this is a very significant attack, possibly the most significant cyber attack on the Irish State."[27]
The HSE claimed that it was a zero-day-threat and that there was no experience in how to respond to the attack.[28] The Minister for Health – Stephen Donnelly – said that the attack had "a severe impact" on health and social care services.[28] The Director-General of the HSE – Paul Reid – said that the attack will cost "tens of millions" to fix.[23]
A number of news outlets, including Bleeping Computer, reported that a ransom figure of €16.5 million (about $20 million) was made, offering to decrypt data and to not publish "private data".[29][30][31] Initially, the Business Post reported that a ransom demand of three bitcoin or €124,000 (about $150,000) was made.[32] Taoiseach Micheál Martin stated the ransom would not be paid, with the attack instead being dealt with in a "methodical way".[33][34]
American cybersecurity firms McAfee and FireEye were contracted by the HSE after the attack to mitigate the damage, and to monitor dark web sites for leaked data.[35]
On 16 May, it was reported that the Department of Social Protection came under "sustained and fierce attack" but the highly-organised criminal group were unable to breach the security. The Department subsequently suspended its electronic communication channels with the HSE.[36][31]
On 20 May, Minister for Communications Eamon Ryan said a helpline was to be set up to assist individuals who have had health information published as a result of the hack, and that social media companies were asked to not share information that has been released,[37] with a High Court injuction obtained by the HSE to prohibit the sharing of this information.[38][39] On the same day, it was reported that the organised cyber crime group provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.[40][41] Meanwhile, the public was advised by Gardaí to be aware of a number of call and text scams in the wake of the cyber attack amid warnings the delivery of care in the health service would be a high risk for weeks.[42][43]
Department of Health cyberattack
On 16 May, two days after the HSE shut down its IT systems nationwide, the Department of Health confirmed that in the previous week it had been the victim of a separate cyber attack similar to the ransomware attack on the HSE, prompting the shutting down of much of its IT infrastructure.[31][44][45]
According to RTÉ News, a digital note from the cyber crime group believed to be responsible was left on the Department's IT systems, similar to the one discovered at the HSE.[46][47][48]
See also
- Colonial Pipeline cyberattack
- WannaCry ransomware attack - which affected the National Health Service in the United Kingdom
References
- ↑ 1.0 1.1 "Some health service disruption after HSE cyber attack". RTÉ News and Current Affairs. https://www.rte.ie/news/health/2021/0514/1221519-hospital-it-problem/.
- ↑ "Irish health service hit by 'very sophisticated' ransomware attack". Reuters. https://www.reuters.com/technology/irish-health-service-hit-by-ransomware-attack-vaccine-rollout-unaffected-2021-05-14/.
- ↑ "Irish health service hit by cyber attack". BBC News. https://www.bbc.co.uk/news/world-europe-57111615.
- ↑ "Ransomware attack disrupts Irish health services". The Guardian. https://www.theguardian.com/world/2021/may/14/ransomware-attack-disrupts-irish-health-services.
- ↑ "Cyber attack 'most significant on Irish state'". BBC News. 15 May 2021. https://www.bbc.com/news/world-europe-57111615.
- ↑ 6.0 6.1 "Irish Health Service Shuts Down IT System Amid Cyber Attack". https://www.bloomberg.com/tosv2.html?vid=&uuid=54a43320-b4cb-11eb-b71c-bf9004f073cd&url=L25ld3MvYXJ0aWNsZXMvMjAyMS0wNS0xNC9pcmlzaC1oZWFsdGgtc2VydmljZS1zaHV0cy1kb3duLWl0LXN5c3RlbS1hbWlkLWN5YmVyLWF0dGFjaw==.
- ↑ 7.0 7.1 Reynolds, Paul (18 May 2021). "Wizard spider: Who are they and how do they operate?". RTÉ News and Current Affairs. https://www.rte.ie/news/crime/2021/0518/1222349-ransomware-crime-group/.
- ↑ 8.0 8.1 Gallagher, Conor; McQuinn, Cormac. "Dark web ‘dump sites’ being monitored for HSE data after hack" (in en). The Irish Times. https://www.irishtimes.com/news/crime-and-law/dark-web-dump-sites-being-monitored-for-hse-data-after-hack-1.4567731.
- ↑ 9.0 9.1 Horgan-Jones, Jack; Lally, Conor. "Scale of damage from cyberattack on HSE systems will not be known for days" (in en). The Irish Times. https://www.irishtimes.com/news/health/scale-of-damage-from-cyberattack-on-hse-systems-will-not-be-known-for-days-1.4565621.
- ↑ 10.0 10.1 Noonan, Laura; Shotter, James (19 May 2021). "Irish patients’ data stolen by hackers appears online". https://www.ft.com/content/13d33a08-ce83-4f8a-8d93-a60a5e097ed8.
- ↑ 11.0 11.1 11.2 "What we know so far about the HSE cyber attack". RTÉ News and Current Affairs. 14 May 2021. https://www.rte.ie/news/health/2021/0514/1221537-hse-cyber-attack/.
- ↑ Moloney, Eoghan (14 May 2021). "'Serious and sophisticated' - HSE confirms ransomware cyber attack has hit all hospital IT systems". Irish Independent. https://www.independent.ie/irish-news/serious-and-sophisticated-hse-confirms-ransomware-cyber-attack-has-hit-all-hospital-it-systems-40425737.html. Retrieved 15 May 2021.
- ↑ 13.0 13.1 Thomas, Cónal. "Covid-19: GP and close contact referral system down, patients advised to attend walk-in centres" (in en). TheJournal.ie. https://www.thejournal.ie/covid-19-gp-and-close-contact-referral-system-down-patients-advised-to-attend-walk-in-centres-5437186-May2021/.
- ↑ "Ransomware attack defence upgrade urged by TD for part of Laois and Offaly". Leinster Express. https://www.leinsterexpress.ie/news/crime-and-courts/633660/ransomware-attack-defence-upgrade-urged-by-td-for-part-of-laois-and-offaly.html.
- ↑ O'Halloran, Marie. "Cyber security role is vacant because of low salary, TD says" (in en). The Irish Times. https://www.irishtimes.com/news/ireland/irish-news/cyber-security-role-is-vacant-because-of-low-salary-td-says-1.4566803.
- ↑ "NCSC: Contact Page". https://www.ncsc.gov.ie/contact/.
- ↑ "HSE Cyber Security Incident". 19 May 2021. https://www.hse.ie/eng/services/news/media/pressrel/hse-cyber-security-incident.html. Retrieved 19 May 2021.
- ↑ Brennan, Colin (14 May 2021). "HSE issues defiant statement after 'significant ransomware attack'". Irish Mirror. https://www.irishmirror.ie/news/irish-news/hse-cyber-attack-updates-live-24107129. Retrieved 15 May 2021.
- ↑ Clarke, Vivienne (14 May 2021). "Taoiseach insists Ireland will not pay ransom after HSE cyber attack". BreakingNews.ie. https://www.breakingnews.ie/ireland/rotunda-patients-asked-not-to-attend-appointments-amid-system-cyberattack-1127022.html. Retrieved 15 May 2021.
- ↑ Heaney, Steven; Clarke, Vivienne; Glennon, Nicole (14 May 2021). "Ransom will not be paid to perpetrators of HSE cyber attack". Irish Examiner. https://www.irishexaminer.com/news/arid-40289090.html. Retrieved 15 May 2021.
- ↑ Moloney, Eoghan (14 May 2021). "Warning of widespread cancellations for HSE patients if ransomware attack not resolved by Monday". Irish Independent. https://www.independent.ie/irish-news/warning-of-widespread-cancellations-for-hse-patientsif-ransomware-attack-not-resolved-by-monday-40427449.html. Retrieved 15 May 2021.
- ↑ O'Halloran, Marie. "HSE IT system will take "several weeks" to get back up and running – Donnelly" (in en). https://www.irishtimes.com/news/politics/hse-it-system-will-take-several-weeks-to-get-back-up-and-running-donnelly-1.4568804.
- ↑ 23.0 23.1 "Paul Reid says it could cost 'tens of millions' to fix HSE IT systems" (in en). https://www.breakingnews.ie/ireland/paul-reid-says-it-could-cost-tens-of-millions-to-fix-hse-it-systems-1128172.html.
- ↑ 24.0 24.1 "Appointment and service updates – HSE IT system cyber attack". https://www2.hse.ie/services/hospital-service-disruptions/hse-it-system-cyber-attack.html. Retrieved 15 May 2021.
- ↑ McDermott, Stephen (14 May 2021). "HSE cyber attack: what services are affected and which ones are still working?". TheJournal.ie. https://www.thejournal.ie/hse-cyberattack-hospital-health-services-affected-5437328-May2021/.
- ↑ Grennan, Dan (16 May 2021). "New cyber attack carried out on Department of Health as HSE scrambles to get systems back online". Extra.ie. https://extra.ie/2021/05/16/news/irish-news/ransomeware-health-department. Retrieved 16 May 2021.
- ↑ Ní Aodha, Gráinne. "HSE ransomware attack is 'possibly the most significant cyber attack on the Irish State'". TheJournal.ie. https://www.thejournal.ie/hse-cyber-attack-5436981-May2021/.
- ↑ 28.0 28.1 Burns, Sarah; Clarke, Vivienne; Lally, Conor; Cullen, Paul. "HSE cyber attack ‘possibly the most significant’ ever on Irish State" (in en). The Irish Times. https://www.irishtimes.com/news/health/hse-cyber-attack-possibly-the-most-significant-ever-on-irish-state-1.4564957.
- ↑ Abrams, Lawrence (15 May 2021). "Ireland’s Health Services hit with $20 million ransomware demand". https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/. Retrieved 16 May 2021.
- ↑ Weckler, Adrian (16 May 2021). "HSE working to restore IT systems amid claims hackers demand $20m for stolen data". Sunday World. https://www.sundayworld.com/news/irish-news/hse-working-torestoreit-systems-amidclaims-hackers-demand20m-for-stolen-data-40431150.html. Retrieved 16 May 2021.
- ↑ 31.0 31.1 31.2 Ryan, Órla; MacNamee, Garreth; McNally, Tadgh; O'Connor, Niall (16 May 2021). "HSE won't comment on ransom figure, as staff are told to 'protect urgent care'". TheJournal.ie. https://www.thejournal.ie/hse-cyber-attack-cancelled-appointments-5438671-May2021/. Retrieved 16 May 2021.
- ↑ Woods, Killian; Ryan, Emmet; Rogan, Aaron. "Hackers of HSE computer system demanded bitcoin ransom worth $150,000". Business Post. https://www.businesspost.ie/technology/hackers-of-hse-computer-system-demanded-bitcoin-ransom-worth-150000-242b03ae.
- ↑ Aodha, Gráinne Ní. "HSE confirms ransom has been sought over cyber attack but says it will not be paid" (in en). TheJournal.ie. https://www.thejournal.ie/hse-cyber-attack-5436981-May2021/.
- ↑ Horgan-Jones, Jack; Burns, Sarah; Lally, Conor; Cullen, Paul. "Bitcoin ransom will not be paid following cyber attack on HSE computer systems" (in en). The Irish Times. https://www.irishtimes.com/news/health/bitcoin-ransom-will-not-be-paid-following-cyber-attack-on-hse-computer-systems-1.4564957.
- ↑ Correspondent, Conor Gallagher Crime; Correspondent, Cormac McQuinn Political. "Dark web ‘dump sites’ being monitored for HSE data after hack" (in en). https://www.irishtimes.com/news/crime-and-law/dark-web-dump-sites-being-monitored-for-hse-data-after-hack-1.4567731.
- ↑ O'Shea, Cormac (16 May 2021). "Hackers tried to breach social welfare system before HSE attack". Irish Mirror. https://www.irishmirror.ie/news/irish-news/hackers-tried-breach-social-welfare-24119744. Retrieved 16 May 2021.
- ↑ McConnell, Daniel (20 May 2021). "Helpline for people whose health information will be published by cybercrime gang" (in en). Irish Examiner. https://www.irishexaminer.com/news/arid-40294274.html.
- ↑ Carolan, Mary (20 May 2021). "HSE secures injunctions restraining sharing of hacked data" (in en). The Irish Times. https://www.irishtimes.com/news/crime-and-law/courts/high-court/hse-secures-injunctions-restraining-sharing-of-hacked-data-1.4570769.
- ↑ "HSE secures injunction against sharing of stolen data". RTÉ News and Current Affairs. 20 May 2021. https://www.rte.ie/news/health/2021/0520/1222928-hse-cyber-attack/.
- ↑ Reynolds, Paul (20 May 2021). "IT experts testing decryption key sent by criminals behind cyber attack". RTÉ News and Current Affairs. https://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/. Retrieved 20 May 2021.
- ↑ Lally, Conor (20 May 2021). "Cyber gang provides decryption tool to unlock HSE systems". The Irish Times. https://www.irishtimes.com/news/crime-and-law/cyber-gang-provides-decryption-tool-to-unlock-hse-systems-1.4570765. Retrieved 20 May 2021.
- ↑ O'Regan, Eilish (20 May 2021). "HSE and gardaí investigate scam texts and emails in wake of health service cyber-attack". Irish Independent. https://www.independent.ie/irish-news/hse-and-gardai-investigate-scam-texts-and-emails-in-wake-of-health-service-cyber-attack-40450116.html. Retrieved 20 May 2021.
- ↑ Hennessy, Michelle (20 May 2021). "Warning as fraudsters see HSE hack as opportunity to scam people with calls and texts". TheJournal.ie. https://www.thejournal.ie/hse-hack-scammers-5443123-May2021/. Retrieved 20 May 2021.
- ↑ Lally, Conor (16 May 2021). "Department of Health hit by cyberattack similar to that on HSE". The Irish Times. https://www.irishtimes.com/news/health/department-of-health-hit-by-cyberattack-similar-to-that-on-hse-1.4566541. Retrieved 16 May 2021.
- ↑ Moloney, Eoghan; Molony, Senan; Schiller, Robin (16 May 2021). "Department of Health subjected to separate cyber attack". Irish Independent. https://www.independent.ie/irish-news/department-of-health-subjected-toseparate-cyber-attack-40431351.html. Retrieved 16 May 2021.
- ↑ Reynolds, Paul (16 May 2021). "Dept of Health responding to cyber attack since Thursday". RTÉ News and Current Affairs. https://www.rte.ie/news/ireland/2021/0516/1221933-dept-of-health/. Retrieved 16 May 2021.
- ↑ Moloney, Eoghan (16 May 2021). "Department of Health hit with cyber attack after HSE ransomware hacking". Sunday World. https://www.sundayworld.com/news/irish-news/department-of-health-hit-with-cyber-attack-after-hse-ransomware-hacking-40431434.html. Retrieved 16 May 2021.
- ↑ O'Shea, Cormac (16 May 2021). "Department of Health victim of cyber attack similar to that on the HSE". Irish Mirror. https://www.irishmirror.ie/news/irish-news/department-health-victim-cyber-attack-24119533. Retrieved 16 May 2021.