Cyber-attack on Irish health service 'catastrophic'

Getty Images HackerGetty Images
Ireland's Department of Health and the Health Service Executive have both been targeted by hackers

The head of the Republic of Ireland's health service has described the "catastrophic" impact of a "stomach-churning" hack of its IT systems.

Health Service Executive (HSE) chief executive Paul Reid criticised the ransomware attack as a "callous act" and an attack on health workers.

The number of appointments in some areas of the system has dropped by 80%.

Health workers are attempting to continue with paper records while work continues to recover IT systems.

The hack has caused substantial cancellations to outpatient services.

He told a HSE media briefing on Thursday that the response has been "comprehensive" since last Friday and will "continue to be relentless".

However he said work to undo the damage will continue into the coming weeks.

"We are now in the assessment phase where we're assessing all across the network… to understand the impacts across the network," he said.

Mr Reid said there are 2,000 systems used by the health service and more than 4,500 servers.

'Major disaster'

Speaking to RTÉ earlier, the HSE's national clinical advisor Dr Vida Hamilton said it was "affecting every aspect of patient care".

Dr Hamilton described the incident as a "major disaster" and said there were difficulties around accessing patient records.

She said with lab tests, a handwritten form was required, with a runner taking it to the lab, and it then being manually put in to be analysed, something she said increased the chance of "delay and risk for error".

The attack has been described by Taoiseach (Irish PM) Micheál Martin as "heinous".

"It's a shocking attack on a health service, but fundamentally on the patients and the Irish public," Mr Martin said.

He said cyber-security is under continuous review across all state agencies in the Republic of Ireland

Shared online

On Wednesday, Irish Communications Minister Eamon Ryan described reports health records have been shared online as "credible".

The Financial Times reported it had seen files and screenshots from the hack, which included the file of one man admitted to hospital for palliative care.

It reported the file matched a death notice seen by the paper.

Getty Images Eamon Ryan pictured outside wearing a scarf and coat with a serious expressionGetty Images
Eamon Ryan said it was "deeply regrettable" if information from the hack had been shared online

Speaking on RTÉ, Mr Ryan said it was "deeply regrettable" if this information had been made available, and said while he could not confirm the report, it "seems to me to be very credible".

The criminal investigation is being led by the Garda National Cyber Crime Bureau, working with the National Cyber Security Centre and the HSE.

A spokesperson for the Department of the Environment, Climate and Communications, which includes the National Cyber Security Centre, said there was a risk "that the medical and other data of patients will be abused, either for fraud or be means of public release".

Plans for police helpline

"These criminal groups also habitually release stolen information as a means of pressurising organisations into paying a ransom," the department said.

Anyone who has been affected by the cyber-attack is being encouraged to contact the HSE and gardaí.

Speaking in the Dáil (Irish parliament) on Thursday, Mr Ryan also said that a helpline will be established by the government for anyone who has been approached and told that their health information is going to be published online.

He described it as "a confidential crime line-type system" and it will also provide those affected with secure advice.

Mr Ryan said it was impossible to completely stop data that has already been shared, but said it was possible to "minimise and protect to the best of our ability, by reducing the sharing of that information".

He added that the helpline will also give the government an indication as to the kind of information that is being published.