INCIDENT: Ransomware Attack Causes Wide Spread Disruption in Ireland’s Healthcare Service
Ireland’s health service shut down its IT system after experiencing a “significant ransomware attack”. The incident has affected more than 80% of IT infrastructure, with the loss of key patient information and diagnostics, resulting in severe impacts on the health service and the provision of care. All computer systems were switched off. Doctors, nurses and other workers lost access to systems for patient information, clinical care and laboratories. Emails went down, and staff had to turn to pen and paper.Lab test data had to be handwritten and manually entered - leading to greater risks of mistakes. Thousands of people's healthcare was disrupted. Confidential medical files were also stolen, with hackers threatening to release the data. A response was quickly mobilised internally, and the Irish Defence Forces were called in to help.
HSE commissioned PWC for independent report on the cyber attack: On 18 March, someone in the Irish Health Service Executive (HSE) opened a spreadsheet that had been sent to them by email two days earlier. But the file was compromised with malware. The criminal gang behind the email spent the next two months working their way through the networks. There were multiple warning signs that they were at work, but no investigation was launched, and that meant a crucial opportunity to intervene was missed, according to the report, and on May 14 the ransomware was released. Senior staff set up a "war room", but the report criticises the lack of preparation or contingency planning for such a loss of systems. "The response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event," it says.
The attackers demanded payment to restore access to the computer systems, Then on 20 May, the attackers, for reasons not entirely clear - but perhaps realizing the scale of what was happening - posted a link to a key that would decrypt files. This allowed a long recovery to begin, and it took the service four months to fully recover.