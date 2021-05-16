Today, the Department of Health revealed that it has been attacked by ransomware, following last week’s massive cyberattack against the HSE. A ransom has been demanded, say authorities.

So what’s going on? Is this the start of a wave of attacks against Irish public bodies? And what might the hackers have in mind for the sensitive medical data on patients that they claim to have? Here’s a quick explainer on where we stand at present.

Do the hackers really have my sensitive medical data?

This is what they claim. There has been no firm answer yet from either the HSE, the Government or the National Cyber Security Centre as to whether that is, in fact, the case.

What kind of medical data are we talking about?

Allegedly it’s patient records, administration and supplier accounts and employee information, including payroll data.

But the HSE and the Government say they won’t pay any ransom. Does this mean my sensitive medical information is about to be leaked online?

If the hackers do have what they say they have, it looks likely. In their warped logic, they have to – otherwise the next victim won’t take their threat seriously.

Have they done this before?

Yes. In February, the Conti gang leaked data that was stolen through a ransomware attack on a Texas Hospital in Nocona, just north of Dallas. That data dump included patient names, insurance details, medical records, audits, social security numbers and dates of service. It also included details of procedures such as colonoscopies and appeals.

Where would they leak it?

It’s usually either offered for sale on the Dark Web or simply dumped there.

What is the Dark Web?

It’s a huge area of the internet that can’t be reached by using Google or a web browser. It’s very hard to track and, because of this, is popular with criminals and those seeking to avoid scrutiny.

What’s the worst that could happen if the stolen data really is leaked?

Scammers and other criminals may get their hands on it and either try to hack your accounts or scam you. It’s also possible, though less likely, that criminals may try focused attacks such as blackmail, in an instance where they get details of a person begin treated for a sexually-transmitted disease or a medical matter, such as an injury, that is undisclosed to an employer and which could be damaging to one’s job.

Could legitimate businesses such as insurance companies see it and use it against me?

In theory, yes. But in practice, it would be reckless and very damaging to them if they did this and were caught. “Taking data dumped by criminals is a clear intentional act to directly benefit from a known illegal act,” said Daragh O’Brien, CEO of legal privacy consultancy Castlebridge. “I’d expect that the Data Protection Commissioner here would levy the maximum penalty in order to dissuade others.”

What do we know about any progress being made on this attack?

Details are slow to emerge. All of the public authorities involved, from the HSE to the Department of Health and Department of Communications, say that the damage is still being assessed.

But who’s actually trying to fix it?

The US cyber-security company FireEye.

But I thought the National Cyber Security Centre is handling it?

Ireland’s National Cyber Security Centre is a very small organisation with relatively scant resources and no-one in a leadership position. It is not considered among IT security professionals to have the full expertise to directly deal with the incident response requirements.

What does all of this say about Ireland’s state of readiness against other attacks? Are we sufficiently protected?

The general consensus appears to be that Ireland is in a weak, vulnerable position for further cyber attacks.