Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

2626. To ask the Minister for Health the total cost of the cyber-attack on the HSE and on her Department in recent years. [41114/25]

Jennifer Carroll MacNeill (Dún Laoghaire, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The health service was targeted by a criminally motivated cyber-attack in May 2021. The impact of this serious incident varied depending on the extent to which services relied upon technology, but in the main the ransomware attack had a devastating impact on the delivery of health services generally and specifically for patients who relied on them.

The HSE has invested significantly in cyber remediation since the cyberattack in 2021. An independent post incident report (PIR) commissioned by the board of the HSE following the attack, highlighted areas that needed to be addressed. The HSE have been very effective in addressing all issues highlighted since the publication of that report. Recommendations from that report were ranked such that the ones that would have the most immediate impact and could be implemented soonest, were pursued first.

There are multiple ongoing programmes of work focused on addressing all issues highlighted in the wake of the attack, reducing risk, building cyber resilience, and building additional cyber security capability and capacity through the establishment of a dedicated cyber security function under the leadership of a Chief Information Security Officer (CISO) within the HSE.

The cost of remediation of services in the aftermath of the 2021 cyberattack was estimated by the HSE to be €102m (as of Nov 2024). The costs of the cyber-attack are not expected to change pending legal case outcomes. The HSE continues to invest significantly in multi-layered cyber defences, including technology, processes, and people, in order to reduce the likelihood and impact of cyberattacks. The HSE allocated funding for specific actions within the voluntary sector also.

In order to address the ongoing risks associated with cyberattack and the need to build cyber resilience, the Government has provided additional, dedicated funding in recent years. There was an additional non-core funding of €40m in 2023, an additional allocation of non-core funding of €55m in 2024, and in 2025, the ICT & Cyber programme was allocated a total of €70m as part of core funding under the HSE National Service Plan.