Government has received no ransom demand after HSE cyberattack, says Heather Humphreys

“If there is a request for money the Government will not be paying a ransom.” Ms Humphreys said that such a demand was likely to happen and that the Government would be prepared. 

She advised that if any individual was contacted about their personal data they should contact the gardaí immediately and that a helpline was being set up.

It was likely that data would be released, but the more information that could be gathered, the more prepared the authorities would be, she added.

Any blackmail efforts should not be paid, either by individuals or by the State, said Ms Humphreys.

The real priority was getting the health system up and running and ensuring treatment for patients, she said. 

The Minister paid tribute to the “huge efforts” of HSE staff who have “come through a torrid time.” 

Ms Humphreys said that her own department, Social Protection, had been targeted by cyber attackers recently, but it had been thwarted. 

Her department was constantly looking at their security system and its firewall protection.

The Minister denied that there had been any neglect or lack of investment and said that once the current crisis was over the situation would be examined and if it transpired that further investment was required for cyber security then the Government would provide it.

The response to the cyberattack was a cross-Government effort, she said.

New deadline demands

The acting Minister for Justice's comments come after media reports stated the criminal gang had issued a new deadline to the HSE and the government over payment for the patient data. 

The cybercrime gang responsible for the cyberattack on the HSE had issued a Monday deadline for payment or else it will share and publish patient data, Bloomberg reported. 

According to communication viewed by the international news agency between the HSE and Russian group, the gang has issued a Monday deadline of May 24 for the ransom to be paid. 

The group has said unless the $20m ransom was paid in bitcoin, a cryptocurrency, by this date, then it would publish or sell the patient data it has secured. 

The HSE and the government have both said that repeatedly that no ransom was to be paid. 

Fears are growing after media reports that files, screenshots and patient data secured from the attack are circulating online and the State could face hundreds of millions in legal claims from victims if the HSE is found to have failed to adequately protect patients' data from the cyber hack.

Increased pressure

Minister for Health Stephen Donnelly has criticised law firms that, he says, are "licking their lips" at the prospect of taking legal cases against the State as a result of the cyberattack on the HSE.

Gardaí investigating the cyberattack have said the release of these documents is designed to increase the pressure on the HSE and the State to pay the ransom. 

However, the director-general of the HSE has defended the HSE's record on cybersecurity, calling the ransomware attack a "vicious and callous act".

Paul Reid said that it was far too early to assess if weaknesses identified in the system some years ago had been the cause for the attack. No direct link had been identified, he said.

The weaknesses in question had been identified by an internal audit, he said and if they had not been identified that would have been an even more significant failing. As a result of the identification of the weaknesses, actions had been taken.

The approach adopted by the HSE had been to invest in new systems, such as the Covid testing system and the vaccination programme, both of which were new and separate and therefore had not been impacted by the cyberattack, he added.

While he could not validate reports that patient data was being revealed, Mr Reid said there was a strong likelihood that had happened. What he did know was that a significant proportion of data had been encrypted and was backed up.

Services restoration

The HSE focus now was on restoring services while the NCSC and the gardaí were carrying out an investigation into what happened.

The latest communications seen by Bloomberg state the gang's demands have changed from claiming that they will publish patient data "very soon" to "will start to sell and publish your data next Monday". 

Specialist IT teams continue to work "around the clock" to assess 80,000 HSE devices that have been impacted by the cyberattack while minister Eamon Ryan has said the government is putting systems in place for people to report if their data has been published.