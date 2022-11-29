The HSE today started to notify 113,000 patients and HSE staff who had some of their personal information illegally accessed and copied during the cyber-attack on health service systems in May last year.

Joe Ryan, HSE national director leading the notification programme, said: “From today, and over the coming months, the HSE will be contacting approximately 113,000 people by letter to inform them that some of their personal data was illegally accessed and copied as part of this cyber-attack. As a result of our extensive monitoring and support from security services, we have seen no evidence that personal data relating to the HSE cyber-attack has been shared or used fraudulently.”

Mr Ryan added: “We are very sorry that this occurred and ask for people’s understanding as we work through this complex administrative process, in which we hope to support people and continue to answer their questions and requests. This notification process is an important duty for the HSE, as we held people’s personal data, and through this cyber-attack on HSE systems, that information was compromised.”

In the letters to those affected, the HSE will be apologising to the people notified.

Those being notified will receive a letter telling them what part of their personal information was impacted. The letter will also outline how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied. This can be done via a portal on the HSE website at hse.ie/dataprotection or by post.

Mr Ryan added: “The notification process will go on over the coming weeks and months, as we have to take great care in notifying people correctly and securely. The first group being notified includes approximately 850 HSE staff members. We are writing to them to notify them that data relating to their staff travel expense claims was illegally accessed and copied. This data contained some limited financial details.”

Mr Ryan said the process will take a number of months to complete, as the HSE must ensure it contacts the right person and has secure communication with them.

“Of the people being notified, 84pc of our notifications relate to patient data and 16pc to staff data,” Mr Ryan said.

"This means that over the coming months we will be writing to approximately 94,800 patients and around 18,200 members of staff. We anticipate we will have contacted everybody by April 2023 or sooner.

“We sincerely regret the impact this cyber-attack has had on our health service, our patients and our teams nationwide. We have taken a thorough approach in responding, from the initial cyber-attack to the lengthy period of data review and verification, and now the notification process.”

Mr Ryan said that security specialists working with the HSE have been monitoring the internet including the dark web since the cyber-attack and have seen no evidence at this point that the illegally accessed and copied data has been published online, other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web, or used for any criminal purposes.

The HSE obtained a High Court order on May 20, 2021, restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.

“Our cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this,” Mr Ryan said.

He added that the ongoing criminal investigation means the HSE is limited in how much detail it can give on the data that was accessed and which of its sites were involved, and that it also wanted to avoid giving information about the hack that would let scammers “re-target” sites or engage in phishing scams in the community.

Tusla and Children’s Health Ireland, which were both hit, will also be notifying people in the next phases of their processes.

The HSE data that was copied included a mixture of personal information, medical information and internal health service data. The internal health service data includes documents such as HR forms submitted by staff in relation to leave and data relating to staff travel expenses, the HSE said.

“For the most part, people are being notified that a limited amount of information relating to them was illegally accessed and copied,” Mr Ryan said.

"Personal information includes information on lists such as names, addresses, contact phone numbers and email addresses.

"Medical information can include some medical notes and correspondence with patients, some lists of patients receiving treatment, patient handover lists, notes, treatment histories and vaccination lists.”

“We will continue to liaise with the Data Protection Commission and to work closely with our technical experts, An Garda Síochána and the National Cyber Security Centre,” Mr Ryan added.