Ransomware Attack on HSE in Ireland Has Cost More Than €80 Million

By Richard Anderson

In 2021, the Conti ransomware gang conducted a ransomware attack on the Health Services Executive (HSE) in Ireland. Approximately 98,000 patients and 18,200 members of staff potentially had their personal information stolen in the data breach, and more than a year on, notification letters are still being issued to those individuals.

Like many ransomware attacks, it started with a phishing email. In this case, the email had a Microsoft Excel attachment with a malicious macro, which gave the Conti gang the access to the network they needed to conduct the attack. Data was exfiltrated, some of which has been released on the dark web, and approximately 80% of HSE data was encrypted. The attack forced the shutdown of all HSE IT systems across the entire country.

The independent investigation of the attack that was commissioned by the HSE and conducted by PwC identified several major security failures, including antivirus software that had not had its signatures updated in more than a year. That single antivirus solution formed the basis of the HSE’s cybersecurity program. There was also a lack of a senior executive with responsibility for cybersecurity, an ineffective patching program, and a lack of security monitoring.

This was not a stealthy attack. Cobalt Strike beacons were deployed on multiple HSE servers, which triggered the antivirus solution to send out alerts, but those alerts were ignored. The attack caused major disruption and killed communications, including encrypting its on-premises email system. While the Conti ransomware gang provided free decryptors, a €20 million ($21.4 million) ransom demand was issued to prevent the release of the stolen data. That ransom was not paid.

The costs associated with mitigating the attack continue to rack up more than 18 months after the attack. The Irish Health Service Executive Interim Chief Information Officer, Fran Thompson, recently confirmed that the costs associated with the ransomware attack have now reached €80 million ($85.6 million), with €42 million ($45 million) incurred in 2021 and €39 million ($41.7 million) incurred from January to October 2022. The Department of Health has estimated the final cost could reach €100 million ($107 million), equivalent to around €20 for every person in Ireland.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news