In a new low for the cyber criminal “fraternity”, the Conti ransomware gang has started to leak personally identifiable information about Irish hospital patients, stolen in its attack on the country’s Health Service Executive (HSE), in the face of refusals to negotiate or pay a ransom from the Irish government.
This is according to the Financial Times, which has assessed some of the leaked data allegedly shared by the Conti gang in a chat with an unidentified party as proof that they were in possession of HSE data. The newspaper revealed that the data included information on 12 individuals, one of whom was receiving palliative care and subsequently died.
The gang is demanding a $19.99m ransom from the HSE, which was forced to shut off its systems on Friday 14 May when the attack was discovered, causing immense disruption to hospital services and patient care across Ireland, although its Covid-19 vaccination programme has continued to operate normally.
In a statement released earlier in the week, the Irish government said: “These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data. The significant disruption to health services is to be condemned, especially at this time.
“Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused. Anyone who is affected is urged to contact the HSE and the Garda authorities.”
Ray Walsh, ProPrivacy
Describing the apparent leak as a “worst-case scenario”, ProPrivacy’s Ray Walsh said: “This is hugely sensitive personal information, and the fact that it is now being leaked online raises huge privacy concerns for any patients affected.
“There is always a danger that when systems are attacked with ransomware, cyber criminals will make copies of the data to sell on the dark web or to use for secondary attacks and criminal activities such as fraud, phishing or identity theft.”
Saryu Nayyar, CEO of Gurucul, agreed that leaked healthcare data raised the prospect of social engineering attacks on patients in Ireland, many of whom may be more vulnerable or less cyber-savvy due to old age.
She said there were, however, some encouraging signs in the wider government response. “The fact that the Irish government will not give in to the attackers’ demands is a sign that they are confident they have backups to sufficiently restore their systems and data,” she said, though she noted that this would likely result in more data leaks further down the line.
The investigation into the attack continues, but the HSE has warned that with 80,000 devices and 2,000 patient IT systems needing to be fully assessed and restored, some of them dating back to the 1990s, it expects the process to take weeks.
The ransomware attack is also now being treated as a General Data Protection Regulation (GDPR) incident, which could result in significant fines for the HSE.
Full service updates are available from the HSE.