Ireland Set to Notify 20,000 More Health Data Breach VictimsRansomware Attack by Conti Group Also Exposed Child and Family Agency Data
Ireland's child and family agency, Tusla, says it is beginning a months-long process to notify 20,000 individuals that their personal information was exposed in the May 2021 ransomware attack against the Health Service Executive.
The HSE is Ireland's publicly funded national healthcare system and social services agency. It formerly provided IT services to Tusla.
An investigation into the ransomware attack against HSE, led by An Garda Síochána - Ireland's police force - found that "some personal information belonging to a number of people who have been involved with Tusla services and a small number of Tusla employees was illegally accessed and data was copied," the agency says.
Data handled by Tusla includes information gathered by providing child protection and welfare services; adoption and foster care; early years services; domestic, sexual and gender-based violence services; family and community support services; and more.
Tusla says the process of notifying the 20,000 victims likely won't be complete until November.
Working with Ireland's data protection authority - the Data Protection Commissioner, which enforces privacy rules, including the EU General Data Protection Regulation - Tusla says it has developed a notification process for victims. All individuals whose personal details were exposed in the attack on HSE will receive a registered letter via the national postal service.
Each letter will contain a unique PIN for each breach victim, which they can use to access their information through the Tusla Personal Information Access Portal, backed by telephone-based support if they need assistance. Alternately, victims can set up an in-person meeting with a case worker to review the data that was exposed.
Notification Begins - 21 Months Later
Tusla says the delay between the attack and eventual victim notification is due to the challenge of reconciling which records were exposed and the patients associated with the records.
"At the end of December 2021, An Garda Síochána provided Tusla with a copy of the files that were illegally accessed and copied," it says. "Tusla has undertaken an extensive process to carefully review all of this information, to identify individuals affected in accordance with GDPR guidance, and guidance from the Data Protection Commission."
On a per-victim basis, the agency has also had to review all of the exposed records to redact any information they might contain about other individuals, when necessary, to protect those individuals' data rights.
"We acknowledge that it has taken some time for the commencement of this notification program; however, it was crucial that each record that was affected by the cyberattack was carefully reviewed to identify the people affected," says Kate Duggan, Tusla's director of services and integration.
"We also have to ensure that letters are being sent to verified addresses," she adds. "Notifications will continue over the coming months, and we ask for understanding and patience as we continue to work through this complex process."
Tusla says that it will communicate with victims only by registered letter and never by text messages, phone calls, emails or social media.
Despite the personal data having been exfiltrated during the Conti attack, it's possible that none of it has been sold via cybercrime forums or dumped via data leaks.
"We have seen no evidence that any of the Tusla information that was affected has been published on the internet or dark web, and we are continuing to monitor the situation with the assistance of cybersecurity experts," Duggan says. "There is also no evidence that any of the Tusla information has been involved in scams or other fraudulent activity."
Conti Group Claimed Credit
The now-defunct Russian ransomware group Conti took credit for the attack, which began on March 16, 2021, with a phishing email carrying a malicious Microsoft Excel file attachment. By the end of the attack, on May 14, 2021, nearly 80% of data managed by HSE - including medical and banking information - had been forcibly encrypted, and attackers held the decryption key.
Separately, HSE has already notified approximately 113,000 individuals - 94,800 patients and 18,200 staff members - that their data may have been stolen by attackers.
While Conti made a big show of providing a "free" decryptor to HSE, on account of it being part of the National Health Service, cleanup costs have been extreme. As of October 2022, mitigating the attack, restoring systems, probing the incident and notifying victims had already cost more than 80 million euros - or $85 million.
HSE also has been overhauling its IT environment in light of numerous deficiencies identified by consultancy PricewaterhouseCoopers, which it hired to review its cybersecurity posture.
Following the May 2021 attack, Tusla says it had systems restored by June 30, 2021. Since then, it has largely stopped using any HSE-managed IT systems.
"Much of Tusla's IT infrastructure has since undergone a migration to Tusla-owned and secured systems, of which cybersecurity is a cornerstone," the agency says. "We are monitoring and regularly assessing our systems for vulnerabilities and opportunities for improvement with the assistance of cybersecurity experts, to help protect the data that we hold from any future attacks."