Health Service Executive ransomware attack

On 14 May 2021, the Health Service Executive of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.
It was the most significant cybercrime attack on an Irish state agency and the largest known attack against a health service computer system. Bloomberg News reported that the attackers used the Conti ransomware. The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Russia. The same group is believed to have attacked the Department of Health with a similar cyberattack.
On 19 May, the Financial Times reviewed private data for twelve individuals which had appeared online as a result of the breach. On 28 May, the HSE confirmed confidential medical information for 520 patients, as well as corporate documents were published online.

Background

The attackers began by sending a malicious email to a workstation on 16 March 2021. The email was opened on 18 March. A malicious Microsoft Excel file was downloaded, which allowed the attackers access to HSE systems. The attackers gained more access over the following weeks. The HSE antivirus software detected activity on 31 March, but could not block it as it was set to monitor mode.
On 13 May the cybersecurity provider for the HSE emailed the Security Operations team that there had been unhandled threats on at least 16 systems since 7 May. The Security Operations team had the server team restart servers.
The HSE was alerted to the attack at 4am on 14 May 2021. The attack affected both national and local systems, involved in all core services, with the HSE taking down their IT system in order to protect it from the attack and to give the HSE time to consider options.
The attack occurred during the COVID-19 pandemic. Ireland's COVID-19 vaccination programme was not affected by the attack and proceeded as planned; however, the COVID-19 general practitioner and close contact referral system was down, requiring these individuals to attend walk-in sites rather than attend an appointment.
The independent TD Cathal Berry stated that the National Cyber Security Centre which is responsible for the state's cyber security, had only 25 members of staff, a budget of €5 million a year, no dedicated premises, and that its position of Director had been vacant for a year due to its salary of €89,000 a year. The National Cyber Security Centre was then under the remit of the Department of the Environment, Climate and Communications. Since 2025, it has been under the remit of the Department of Justice, Home Affairs and Migration.

Perpetrator & methodology

The National Cyber Security Centre identified the penetration testing tool Cobalt Strike, sold by American IT company HelpSystems, as being used to move through and infect HSE and Department of Health systems, to run executable files, and to deploy a variant of the Conti ransomware. Cobalt Strike Beacon was detected on infected systems, which allowed them to be controlled and for software to be deployed remotely.
The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.

Impact

Hospitals

The ransomware cyber attack had a significant impact on hospital appointments across the country, with many appointments cancelled including all outpatient and radiology services.
Several hospitals described situations where they could not access electronic systems and records and had to rely on paper records. Some have warned of significant disruption with routine appointments being cancelled, including maternity checkups and scans.
The COVID-19 testing referral system was made offline, requiring individuals with suspected cases to attend walk-in COVID-19 testing centres, rather than attend an appointment. The COVID-19 vaccination registration portal was also made offline, but was later back online in the evening.
The Chief Operations Officer of the HSE – Anne O'Connor – said on 14 May that some cancer and stroke services had been affected and that "the situation will be very serious if it continues into Monday ". She said that the most serious concerns were with diagnostics, with radiology systems having gone down, affecting CT and other scans from going ahead. A large amount of out-patient appointments were also cancelled; most community health services are unaffected. O'Connor also reported that "we don't know what data has been taken", but "we know some data has been compromised", with the Data Protection Commissioner being alerted to the potential breach.
The HSE published a list of affected services on its website at lunchtime on 14 May 2021.
On 19 May, the Financial Times reviewed "samples" of private data of twelve individuals that was published online, including admission records and laboratory results for a man admitted to hospital for palliative care. In response, the National Cyber Security Centre stated criminal gangs "habitually release stolen information as a means of pressurising organisations into paying a ransom". The ContiLocker Team claimed to also have staff employment contracts, payroll data and financial statements, patient addresses, and patient phone numbers.
On 28 May, the HSE confirmed that data relating to 520 patients, including sensitive information, was published online.

Hospital disruptions

In December 2021 the HSE said that it may take up to four months to contact all those whose data was stolen. The Garda National Cyber Crime Bureau received the data from the United States Department of Justice through a mutual legal assistance treaty. The Bureau provided the data to the HSE on 17 December 2021. The HSE confirmed that said data was taken from its computers. The HSE also contacted the Data Protection Commissioner about the data. The data is expected to be a mix of personal data, medical information, HSE corporate information as well as commercial and general personal administrative information.

Child and Family Agency

The Child and Family Agency - also known as Tusla - was also affected by the attack. Then CEO Bernard Gloster said that Tusla had about 20,000 open cases, including children in care, childwelfare and protection but that the records were on the National Childcare Information System and that was not accessible due to the attack. He said that there was no indication that the data was compromised other than being made inaccessible, but that would not be known for certain until the HSE systems were restored. About 90% of Tuslas' connectivity was gone, with databases and operating systems affected.

Response

The HSE worked with the National Cyber Security Centre, the Garda Síochána, Irish Defence Forces, as well as various partners domestically and internationally, including Europol and Interpol.
The Minister of State for Public Procurement and eGovernment – Ossian Smyth – said that the attack was international, not espionage, and that "this is a very significant attack, possibly the most significant cyber attack on the Irish State."
The HSE claimed that it was a zero-day-threat and that there was no experience in how to respond to the attack. The Minister for Health – Stephen Donnelly – said that the attack had "a severe impact" on health and social care services. The Director-General of the HSE – Paul Reid – said that the attack will cost "tens of millions" to fix.
A number of news outlets, including Bleeping Computer, reported that a ransom demand of €16.5 million was made, offering to decrypt data and to not publish "private data". Initially, the Business Post reported that a ransom demand of three bitcoin or €124,000 was made. Taoiseach Micheál Martin stated the ransom would not be paid, with the attack instead being dealt with in a "methodical way".
American cybersecurity firms McAfee and FireEye were contracted by the HSE after the attack to mitigate the damage, and to monitor dark web sites for leaked data.
On 16 May, it was reported that the Department of Social Protection came under "sustained and fierce attack" but the highly organised criminal group were unable to breach the security. The department subsequently suspended its electronic communication channels with the HSE.
On 20 May, Minister for Communications Eamon Ryan said a helpline was to be set up to assist individuals who have had health information published as a result of the hack, and that social media companies were asked to not share information that has been released, with a High Court injunction obtained by the HSE to prohibit the sharing of this information. On the same day, it was reported that the organised cyber crime group provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted. Meanwhile, the public was advised by Gardaí to be aware of a number of call and text scams in the wake of the cyber attack amid warnings the delivery of care in the health service would be a high risk for weeks; as of 24 May, the Garda Síochána have described any calls threatening the release of information as "opportunistic", stating they do not have access to private data.
On 27 May, the Chief Executive of the HSE – Paul Reid – said that the cost of the cyber attack on its IT systems could exceed €100 million.
The Defence Forces' CIS Corps deployed 'ethical hackers' to fight back against the ransomware attack and sent CIS personnel to hospitals and HSE offices in order to decrypt devices affected onsite. Army Reservists were particularly useful to this effort due to their cybersecurity skills and experienced gleaned from the private sector during their day jobs.
On 5 September, during a major operation carried out by Gardaí targeting the gang behind the ransomware attack, the Garda National Cyber Crime Bureau seized several domains used in the cyberattack and other ransomware attacks.