Cork Safety Alerts

Corks source for local news!

HSE Begins National Data Breach Notification Programme

ByCork Safety Alerts News

Nov 29, 2022





  • HSE programme to contact people whose information was illegally accessed and copied during the May 2021 cyber-attack on HSE systems is beginning today. The HSE is writing to those who need to be notified under GDPR.
  • HSE is beginning to notify approximately 113,000 people in a phased way from today and this will continue over the coming months.
  • There is no evidence that any personal data has been shared online (other than a small amount of data at the outset of the cyber-attack which has been taken down from the web) or used for criminal purposes since the cyber-attack.  
  • The HSE obtained a High Court order on 20th May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.
  • Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this.
  • Individuals who do not get a letter do not need to contact the HSE or do anything.

The HSE has today, (Tuesday, 29th November 2022), started to notify patients and HSE staff by letter who had some of their personal information illegally accessed and copied during the cyber-attack on the HSE.

Due to the numbers of people involved, and the need to support each notification, this notification programme will continue in phases over the coming weeks and months. If you do not get a letter you do not need to contact the HSE or do anything. This is to help us to provide an efficient service to the people being notified in stages. It also means we can dedicate our support to people who have been notified.

Joe Ryan, HSE National Director leading the notification programme today said:

From today, and over the coming months, the HSE will be contacting approximately 113,000 people by letter to inform them that some of their personal data was illegally accessed and copied as part of this cyber-attack.  As a result of our extensive monitoring and support from security services, we have seen no evidence that personal data relating to the HSE cyber-attack has been shared or used fraudulently.

We are very sorry that this occurred and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests. This notification process is an important duty for the HSE, as we held people’s personal data, and through this cyber-attack on HSE systems, that information was compromised.

In the letters to those affected the HSE will be apologising to the people being notified that this happened. People being notified will receive a letter telling them what part of their personal information was impacted. The letter will also outline how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied. This can be done via a portal on the HSE website at hse.ie/dataprotection or by post.

Joe Ryan continued:

The notification process will go on over the coming weeks and months, as we have to take great care in notifying people correctly and securely. The first group being notified includes approximately 850 HSE staff members. We are writing to them to notify them that data relating to their staff travel expense claims was illegally accessed and copied. This data contained some limited financial details.

He added:

We expect the notification process will take a number of months to complete, as we take the time to contact each person, ensure we have a secure communication with them, and go through the process of assisting them if they want to make a request to view their documents.

Of the people being notified, 84% of our notifications relate to patient data and 16% to staff data. This means that over the coming months we will be writing to approximately 94,800 patients and around 18,200 members of staff. We anticipate we will have contacted everybody by April 2023 or sooner.

We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide. We have taken a thorough approach in responding, from the initial cyber-attack to the lengthy period of data review and verification, and now the notification process.

Response to the cyber attack

The health service was targeted by a criminal cyber-attack in May 2021. The aim of this attack was to disrupt our health services and computer systems by encrypting them, illegally access and copy data, and demand a ransom.

The cyber-attack was stopped once we became aware of it, and the HSE has worked with a range of state agencies to respond to it. No ransom was paid by the HSE or the State.

Specialist security partners of the HSE have been monitoring the internet including the dark web since the cyber-attack and have seen no evidence at this point that the illegally accessed and copied data has been published online (other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web) or used for any criminal purposes. 

The HSE obtained a High Court order on 20th May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.

Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this. 

Ongoing criminal investigation 

The information that was identified as exfiltrated from HSE systems contained data that held information relating to individuals across the country. The cyber-attack on the HSE continues to be an ongoing criminal investigation which limits the amount of detailed information we can share in the public domain in relation to the data which was illegally accessed and copied, or the details of sites affected. This is also to protect against the risk of sites being re-targeted or community based ‘phishing’ scams being mounted in those areas.

Other organisations affected

Due to systems that were shared with the HSE at the time of the cyber-attack, Tusla and Children’s Health Ireland were also impacted. Both Tusla and Children’s Health Ireland will be notifying people in the next phases of their respective processes.

Types of information impacted 

The health service data that was illegally accessed and copied have been thoroughly examined and validated. They are wide-ranging and include a mixture of personal information, medical information and internal health service data. The internal health service data includes documents such as HR forms submitted by staff in relation to leave and data relating to staff travel expenses.

For the most part, people are being notified that a limited amount of information relating to them was illegally accessed and copied. Personal information includes information on lists such as names, addresses, contact phone numbers, email addresses. Medical information can include some medical notes and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.  

We will continue to liaise with the Data Protection Commission and to work closely with our technical experts, An Garda Síochána and the National Cyber Security Centre.

Further information:

Who is the HSE now notifying?

We are beginning a programme to notify approximately 113,000 people that their data was illegally accessed and copied. Of the people being notified, 84% of our notifications relate to patient data and 16% to staff data. This means that over the coming months we will be writing to approximately 94,800 patients and approximately 18,200 members of staff.

We have carried out a full and detailed assessment of all of the documents in accordance with the GDPR guidelines from the European Data Protection Board and the Data Protection Commission to identify the people we need to write to.

What HSE staff are affected?

Of the approximately 18,200 staff impacted, a smaller group of approximately 850 staff will be contacted in the first stages. These people are being notified in relation to staff travel expense claims’ data that contained some limited financial details.

Time taken to review the data and notify people

An Garda Síochána returned a copy of data that was illegally accessed and copied to the HSE on 17th December 2021 pursuant to a Mutual Legal Assistance Treaty. Since that time the HSE has reviewed thousands of documents illegally accessed and copied in the cyber-attack. The process has taken a number of months as we had to examine, review and cross-check each document in detail. 

For each document that was illegally accessed and copied, we needed to:

  • review the document and extract information relevant to individuals 
  • take steps to identify the individuals
  • verify their identity
  • seek to ensure contact details were up to date
  • establish a process to notify people in a secure and confidential manner.

What does it mean if I get a letter?

If you receive a letter from the HSE about the cyber-attack this means that some of your personal, medical or financial information was illegally accessed and copied. There is no evidence that any of the illegally accessed and copied information has been misused.

Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information. They are looking for any signs of it being published or used and we will act immediately if they see any evidence of this.

If you do not get a letter you do not need to contact the HSE or do anything. This is to help us to provide an efficient service to the people being notified in stages. It also means we can dedicate our support to people who have been notified.

How does the HSE notification service work?

The purpose of our service for people being notified is to advise them of how this might affect them. We also aim to allow people, if they wish, to see a copy of their information that was compromised. Given the large number of people involved, the HSE has a portal available at www.hse.ie/dataprotection where people who receive a letter can make a request for a copy of their information. 

The quickest way to request your data is online but if you find it difficult to register online you can also register by printing out the document, ’Request Form for Notified Citizen,’ which is on our website and posting it to us. We will need to call you. Full details of how to do this are on hse.ie/dataprotection. They are also outlined below. 

In addition, the HSE is providing a call centre service if you need support requesting data via the portal. People can only access the call centre once they have a letter from the HSE and request a call back via the website. This is to help us provide an efficient service to the people being notified in stages. It also means we can dedicate our support to people who have been notified.

If you get a letter about HSE data notification

In the first instance, if you receive a letter, you should read it, and then if you want more information, you can visit the HSE website on www.hse.ie/dataprotection.

If you would then like to make a request to see what data has been illegally accessed and copied, you can make a request via the portal at www.hse.ie/dataprotection.

Verifying your identity

To make a request or to request a call back, we will need to verify your identity, to ensure we are contacting the correct individual with their personal information. This is very important for security reasons. To confirm identity, individuals will need a proof of ID (like a passport or driving licence). This can be done online, using a phone app called IDPal, or by post. More details and the address to verify your identity by post can be found at www.hse.ie/dataprotection.

After you have successfully registered, you will access the Dashboard where you can either request a copy of your information or schedule a call-back with us.

This verification of identity process is needed so that the HSE does not issue personal information to the wrong person.

Requesting my data through the website

You can request a summary of your data from the HSE website. This does not happen immediately; after you make your request, the requested documents will be made available to download on the portal. Our aim is that the requested documents will be available within one month. In some limited situations it may take up to two months longer, in which case we will be in contact with you. You will be notified by text message when they’re available.

Requesting my data via post

The quickest way to request your data is online but if you find it difficult to register online you can also register by printing out the document, ’Request Form for Notified Citizen,’ which you will find on our website and posting it to us. We will need to call you. Full details of how to do this are on hse.ie/dataprotection.

To register with our data notification portal by post you will need:

  • your PIN number – you can find this on the letter we sent you
  • to print out and complete the Request Form for Notified Citizen from hse.ie/dataprotection
  • to photocopy your passport, driving licence or public services card – photocopy both sides of your driver’s licence or public services card.

Send your completed form and photocopy of your ID to: HSE, PO Box 13522, Dublin 8, Ireland.

What practical steps can I take to reduce risk?

We have no evidence that any scams have taken place as a result of the cyber-attack on the HSE. But scams and attempted fraud are common.

  • The HSE or your bank will never phone, text, email or video call you unexpectedly asking for your bank details. Never give your bank details, passwords or personal details if it seems a bit odd or out of the blue.
  • Do not engage with anyone who contacts you saying that they have your PPS number.
  • If you believe you are the victim of a cybercrime please take screenshots of the texts or emails and contact your local Garda Station.
  • It is unlikely that criminals can use any information that has been accessed and copied in this attack to steal money from you. But they may use it to contact you and try to trick you into giving them other information, such as your passwords. This is known as ‘phishing’, ‘smishing’ or ‘vishing’.
  • The simplest thing to do is to ignore the phishing email or text message.

If anyone says that that they have your personal information:

  • do not engage with them
  • do not give them any personal information
  • do not click on any links in emails or text messages.

If you suspect you are the victim of potential fraud or a scam:

  • screenshot the email, text message or other communication for Gardaí
  • contact your local garda station – investigators will examine these reports in a sensitive manner.

What do I do if I am contacted by people saying they have my personal health information?

If you are contacted by persons stating that they have your personal health information details and/or bank account details our advice is that you should not engage or provide any personal information. 

If you receive any communication like this:

  • DO NOT engage with the caller
  • DO NOT click on any links in emails or text messages.

If you believe you are the victim of a cybercrime please take screenshots of the texts or emails and contact your local Garda Station.

How has the HSE further strengthened its cyber security?

Cyber-crime is common and is becoming more advanced. Since the cyber-attack we have:

  • further strengthened our IT and cyber security
  • increased our staff training about cyber security
  • worked with international and national cyber security experts to protect against future attacks.

For cyber security reasons, we do not go into detail on exactly what security measures we have put in place. The additional measures deployed to further strengthen the HSE’s cyber security defences include:

  • The engagement of an internationally recognised firm providing managed cyber defences and security operations, monitoring the IT estate, detecting threats and allowing the HSE to take action as required
  • Enhanced user awareness and controls including email validation and additional scanning of all emails prior to receipt by email users
  • We have further strengthened our identity and access management processes and controls
  • We have reduced the level of access provided by the HSE to external partners
  • Applied security configurations to the HSE’s IT infrastructure in line with cyber defence partners’ recommendations
  • Implemented controls to monitor and manage threats to the HSE network.

For more information, please visit www.hse.ie/dataprotection

Help support Cork Safety Alerts by becoming a member – Click Here

By Cork Safety Alerts News