Healthransomware5 min read

Irish Heath Service 2021 Cyber Attack

Downtime Duration

3-4 Months

Estimated Costs

€101 Million

Records Exposed

520 patient data leaked online

Operational Impact

  • 473 legal proceedings taken
  • Countless appointments, including Covid-19 tests, canceled
  • IT system mostly and immediately shut down
  • €101m in taxpayer money lost.

Summary

The Irish Health Service (HSE) is the main backbone of Ireland's healthcare system. So why would cyber criminals try to cripple something so essential?

Full Analysis

Introduction

In Ireland, The Healthcare Service Executive (HSE) is their main publicly available healthcare system. They have continued to diligently provide safe and high-quality care when needed, despite having issues with underfunding and substantial bureaucracy. However, even the most well-meaning and consistent systems aren’t off limits to cyber-attacks, as in 2021 they were attack by a premedicated attack with the purpose of holding their valuable information for ransom. 

Entry Vector (How it happened) 

The main perpetrators of the hack were revealed to be a Russian hacker group known as Wizard Spider using a Cobalt Strike penetration tool to inject Conti ransomware into the systems (Horgan-Jones and Lally, 2021).  

On March 18th, 2021, the hackers were able to gain access to a HSE workstation (their patient zero) by using phishing to trick someone into downloading a malicious file which would serve as a landing zone for their main attack. Using this workstation, they launched a series of attack throughout May, methodically compromising servers, accessing files and compromising six to seven HSE hospitals (krebsonsecurity.com, 2021). This culminated in a ransomware attack on the 14th of May, when Wizard Spider fully launched Conti onto HSE’s Data centre, maliciously encrypting files across multiple servers. Upon learning of the attack, HSE shut down their IT systems and deactivated their internet to deny further access to the hackers (McNally, 2021). Soon after the attack occurred, a digital ransom for €16.5m (or £14m / $20m) was demanded form Wizard Spider, with links to darknet chat rooms containing samples of compromised documents as proof (Saarsteiner and Eames, 2022). 

The system discovered the malicious file on March 31st but was unable to do anything as it was set to monitor mode (McNally, 2021). 

Recovery 

In the immediate aftermath of the attack, staff restored to a pen and paper system for basic administration, with up to 80% of appointments being cancelled or postponed (BBC.com, 2021).  

Immediate after the attack, the hackers demanded a bitcoin ransom of $20m (or £14m) for the decryption key needed to regain access to the compromised systems and files. When the Irish government refused to pay the ransom, the hackers released some of the files onto a dark web chatroom, and then in May released the decryption key (Tidy, 2021). 

It’s mostly unknown why Wizard Spider released the key but it’s likely because they either recognised the sheer scale of the affects their attacks had (Corera, 2021), they felt the walls closing in form law enforcement, or they simply gave up. They still threatened to auction off the stolen data.   

Four months after the attack, despite feeling some direct and in-direct effects from the hack, the HSE stated that 95% of their servers and devices had been restored (McNamee, 2021).  

Impact 

Technological 

About 2,800 servers, 3,500 workstations and 15 Domains showed signs of encryption according to HSE’s Incident Response Provider. This, as well as more than 80% of HSE’s overall IT infrastructure was affected before it was all shut off (Corera, 2021). 

There were many faults within the HSE’s system long before Wizard Spider’s attack; According to a commissioned report by PricewaterhouseCoopers (PWC), HSE’s system was described as ‘frail’ and was vulnerable before the attack and in the possible future (Corera, 2021).  

Other damning results from the report included a lack of a proper cyber incident response or IT recovery plans, a lacklustre detection software that could have detected and responded to any cyber threats, and an overreliance on legacy media dating back to Windows 7 from 2009 as well as an inconsistently updated anti-virus software for the entire system (Targett, 2022).   

But arguably the most damning finding of them all was that there were many signs of an incoming cyber-attack on HSE’s systems as the hacker’s activity was detected, but HSE had neglected to hire a senior level cybersecurity expert who could have recognised the risks and taken the several opportunity to properly discover the implanted ransomware and successfully quarantine it (Coble, 2021).  

Financial  

HSE has estimated that €101 million of taxpayer money was lost from the attack, with further costs on areas such as repairing and updating IT systems with the latest cyber security and replacing compromised workstations costing up to €657m (Hyland and O’Regan, 2022). 

Legal 

The HSE offered to compensate anyone affected by the cyber-attack up to €750. The offer was described by one law firm who received it as a ‘significant development’. (Bowers, 2025)  

Approximately 473 legal proceedings were taken against HSE. Additionally, 12 personal injury claims based on psychological damage caused by the attack were managed by the State Claims Agency (SCA), a division within Ireland’s National Treasury Management Agency (NTMA) that handles legal claims against the state itself and it’s authority (O’Donovan, 2024). As of November 2025, the overall number of legal cases had arisen to 620 according to the HSE (Bowers, 2025). 

Hospitals 

The Conti ransomware caused significant damage to HSE hospital services. Many appointments, such as outpatient, maternity, radiation and oncology appointments, were cancelled (Brennan, 2021) (Moloney, 2021). Covid-19 referral systems during this time were also affected, with the HSE instructing those with appointments to instead attend walk-in testing centres and then self-isolate until they eventually receive their testing results (Cónal, 2021). 

Since most of the IT system when offline, some hospitals lost access to online electronic systems and had to resort to using pen and paper for record keeping (McNamee, 2021) (BBC.com, 2021). Up to 40 hospitals across many counties across Ireland were disrupted by the cyber-attack. The HSE reported on their functionality on their website (Health Service Executive (HSE), 2021).  

The Seamless Solution 

  • HSE’s system was poorly defended and equipped for a cyber-attack of such magnitude. Their anti-virus detection system would desperately require updates to ensure it can handle major threats in a way that is appropriate for the modern-day internet.  
  • Considering all the sensitive and crucial data hospitals must handle daily, such as test results and appointments, having an updated backup system and a dedicated recovery plan in place is a must have.  
  • Another major reason why the cyberattack was so widespread in HSE was the lack of adequate containment measures for preventing Conti from infecting so many systems. A proper software such as Seamless Recovery would have detected the virus early and quarantined it to a small number of systems, preventing major damage whilst recovering any encrypted data at a moment’s notice period. Speed is essential to data recovery, especially concerning hospital systems.  

Conclusion 

Hospitals are essential to society, providing lifesaving healthcare to those in desperate need. But when such a complex system is crippled, it not only shuts down IT systems, but it also places hundreds, if not thousands of people at risk. The cyberattack on the HSE is not only a stark reminder of that, but also of what happens if something so important is left so defenceless.  

Sources 

  • BBC.com (2021): Cyber-attack on Irish health service ‘catastrophic’. Online News Article Published by BBC.com: https://www.bbc.com/news/world-europe-57184977 
  • Brennan, C (2021): HSE issues defiant statement after ‘significant ransomware attack’. Online News Article published by irishmirror.ie: https://www.irishmirror.ie/news/irish-news/hse-cyber-attack-updates-live-24107129  
  • Cónal, T (2021): Covid-19: GP and close contact referral system down, patients advised to attend walk-in centres. Online News Article published by thejournal.ie: https://www.thejournal.ie/covid-19-gp-and-close-contact-referral-system-down-patients-advised-to-attend-walk-in-centres-5437186-May2021/ 
  • Health Service Executive (HSE) (2021): Appointment and service updates – HSE IT system cyber attack. Achieved Website update Published by web.archive.org: https://web.archive.org/web/20210516223458/https://www2.hse.ie/services/hospital-service-disruptions/hse-it-system-cyber-attack.html  
  • Krebsonsecurity.com (2022): Inside Ireland’s Public Healthcare Ransomware Scare. Online Article published by Krebsonsecurity.com: https://krebsonsecurity.com/2021/12/inside-irelands-public-healthcare-ransomware-scare/ 
  • Moloney (2021): Warning of widespread cancellations for HSE patients if ransomware attack not resolved by Monday. Online News Article Published by independent.ie: https://www.independent.ie/irish-news/warning-of-widespread-cancellations-for-hse-patients-if-ransomware-attack-not-resolved-by-monday/40427449.html 
  • Targett, E (2022): PwC’s HSE hack post-incident report should be a corporate textbook. Online News Article published by thestack.technology: https://www.thestack.technology/pwc-hse-hack-post-incident-report/ 

See the Recovery Orchestration Engine in action.

Tour the solution story built for investors and acquirers.

No lock-inIntegrates with your existing stackEnterprise ready