Michael Creed (Cork North West, Fine Gael)
Link to this: Individually | In context | Oireachtas source

1369. To ask the Minister for Health if he is satisfied with the strategy adopted by the HSE in terms of correspondence with individuals whose personal information was hacked from HSE databases; if his attention has been drawn to reports that the communication which is issued to these individuals did not contain a phone number or email where further information could be obtained from the HSE; if he understands the reluctance of these individuals to create a new online account with the HSE which requires further personal documentation; if he will initiate a review of these procedures with the HSE; and if he will make a statement on the matter. [63963/22]

Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is important to note at the outset that there is no evidence that any personal data has been shared or used fraudulently since criminally motivated cyber-attack on HSE systems in May 2021. A secure data breach notification process began on the 29th November 2022 to contact people whose information was illegally accessed and copied during the cyber-attack on HSE systems in 2021. This follows from a necessary process that has taken time where files have undergone extensive examination and validation to allow HSE notify individuals as required and to verify the identity of relevant individuals for notification purposes. 

It is anticipated that the HSE notification process will take 16 weeks to notify 113,000 subjects (Patients 94,000, Staff 18,200). Over the 16 week period, notifiable subjects will receive a letter from the HSE advising them that their data was part of the data breach. The letter will also outline how, if they wish to do so, people can request to view their exact documents which were illegally accessed and copied, which can be done via a secure portal on the HSE website. There is also an option available for individuals to submit their request by post. The portal has undergone rigorous cyber security design and testing. 

A call centre and on-line portal has also been put in place to support individuals through this process. Individuals can simply set up the portal account to request a call back from the HSE. 

The data notification process, by necessity, needs to be secure as ultimately people are being given the opportunity to request access to documents that may have been accessed and HSE cannot risk a situation arising whereby, through this process, the wrong documents are shared. It is also important to note the strong measures and mitigation actions have been taken by the HSE since the criminal attack and also that there is no evidence that any personal data has been shared or used fraudulently since 2021.

The HSE has taken a number of actions and mitigations since the criminally motivated cyber-attack that includes the following:

- HSE is monitoring the internet including the web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online. 

- The HSE obtained a High Court order on 20th May 2021 restraining any sharing, processing, selling, or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.

- HSE cyber security experts are continuing to monitor the internet and the dark web for the illegally accessed information and the HSE will act immediately if they see any evidence of this.