Patient data '10-15 times more valuable than credit card data' 

Information including date of birth, addresses and family connections can be sold on at huge profit, he said.

“I would say 10 to 15 times [greater than credit card data] is a good estimate,” he said. “The professionals online put that together with other records and they sell it for a lot more money. Then loans can be taken out or false identities can be issued based on this.” 

An international study published in health journal BMC Medical Informatics and Decision Making also found “information accessed through health data breaches is of particular interest to criminals”.

In it, researchers said: “As these records include private data such as name, date of birth, insurance and health provider information, as well as health and genetic information, it is not possible to restore privacy or to reverse psychosocial harm when private data are compromised.”

Prof Curran, founder of the International Journal of Ambient Computing and Intelligence, said theft of financial data is often shut down too quickly for criminals to make use of it.

The Russian-based criminal group behind the hack, known as Wizard Spider, has threatened to – and may already have – published data if they are not paid.

“They will find a market for this, no problem,” Prof Curran said. But he said they may not be in a hurry, as often these groups work with many victims at the same time.

Disquiet among hacking community

However, he said the scale of this hack has caused some disquiet among the hacking community.

Some of the main ransomware providers who take a cut off the attacks are saying they are going to try to stop ransomware infecting health systems and critical infrastructure.”

“This is the first time we have ever heard this from the hackers,” Prof Curran said.

Users on dark web forums discussing the HSE attack have said they are uncomfortable with the level of international and government attention it has drawn, he said.

“You never want to be too successful with a hack, because then the authorities can pump the money into tracing this,” Prof Curran said. “If you do small stuff all the time, no one comes after you.” 

Cost more than financial

Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University in the UK, said the cost is more than just financial.

“The massive embarrassment potentially caused on publication to the national health system, opportunity cost of the public’s lost faith in them as data guardians, plus any regulatory and compensatory financial damages will probably dominate.” 

However Prof Boiten is hopeful publicity around this attack will encourage patients to be more aware of how data is used.

“It may improve other hackers’ chances of creating successful phishing attacks, but I think the Irish population is now already pre-warned that medical information about them may be in unexpected hands,” he said.