What happens if the HSE cyberattack data is leaked?

24 May 2021

Image: © Prostock-studio/Stock.adobe.com

Data stolen from the HSE cyberattack could be leaked online from today (24 May). Here’s what you need to know about the situation.

The Irish Government has said there is a “real risk” that patient data stolen from the recent cyberattack on the Irish Health Service Executive (HSE) will be abused by cybercriminals.

The attack, which emerged more than a week ago, involved malware known as Conti. This is known as ‘double-extortion’ ransomware, meaning that as well as holding access to systems to ransom, the malware might also steal information stored on the system. Hackers can then threaten to release this information online if a payment is not made.

The Government said work to identify the extent of any data taken is ongoing. “The theft and disclosure of medical data would be a particularly despicable crime because it involves sensitive, personal information. Any public release of this data would be illegal,” the statement said.

Last week, the Financial Times reported that hackers had started leaking personal data online and demanded an almost $20m ransom for the stolen data.

While the Government has repeatedly stated that no ransom would be paid, the cybercriminals had given a deadline of today (24 May) before they would start leaking data online.

Why is leaked health data concerning?

While some may already be concerned about their private medical history being leaked online, others may question what use the data is or why it could be so dangerous in the hands of cybercriminals.

Speaking to Siliconrepublic.com, IT security expert Brian Honan said the biggest concern is that the data could fall into the hands of other criminals who can use the data to target individuals.

“This could be either for scams relating to their health data or using the data from the HSE breach with data from other breaches to create a fuller profile of individuals, therefore making scam emails or calls much more convincing to the potential victims,” he said. “There is also the heightened risk that this additional information could lead to identity theft.”

The targeting of health data has been a growing trend in cybercrime for a number of years. According to the HIPAA Journal, more than 3,700 data breaches of 500 or more records were reported to the US Department of Health and Human Services between 2009 and 2020.

“Those breaches have resulted in the loss, theft, exposure or impermissible disclosure of 268,189,693 healthcare records”, the report said.

A 2019 report from cybersecurity company Carbon Black found that personal health data is three times more valuable to hackers than credit card information. This is because health data is hardcoded within us.

Additionally, not only can these details be used for convincing scam emails or for identity theft, Honan said it can also be used to blackmail individuals who may be getting or have received treatment for an embarrassing ailment or sensitive condition.

What should people do to stay safe?

With the heightened risk of identity theft and scams, Honan said people should be very wary about unsolicited contact from anyone claiming to be from healthcare providers looking for additional information, financial details, requests for payments or offers of refunds for treatments.

“If you receive any such approaches, you should contact the health provider directly on contact details you know to be true, not those in the email or message you received, and if the approaches have been fraudulent to contact An Garda Síochána.”

The Government said it urges anyone who has reason to suspect they are victims of the cyberattack to make a report to their local Garda station or through the 24-hour Garda confidential line on 1800 666 111.

What about the decryption tool?

While the Irish Government and HSE are braced for the potential leaking of data, work to restore the HSE’s IT systems is ongoing.

Last Thursday (20 May) a decryption tool believed to be from the cybercriminals who carried out the attack was made available.

A statement from the HSE yesterday said a “structured and controlled deployment” of the decryption tool is ongoing.

“Progress continues to be made in some hospitals on restoring IT systems and some sites (at a local site level only) now have access to radiology, laboratories and their patient administration systems. But this is uneven across the country and levels of disruption this week are expected to be similar to those of last week.”

Honan said there could be several reasons why the cybercriminals released the decryption tool despite claiming they planned to release the stolen data.

“My own opinion is that they realised the HSE was not going to pay the ransom and were focusing on recovering the systems manually. This meant the criminals knew they had no leverage any more with the HSE on the encrypted data and releasing the decryption key would put the focus on the extortion threat regarding the public release of the data,” he said.

“By releasing the decryption key, the criminals may also hope the HSE would be better able to identify what data the criminals stole and therefore strengthen their case for getting paid not to release that data.”

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com