Cyber Incident Victim: Health Service Executive

On the evening of Thursday, June 8, 2023, the Health Service Executive (HSE) of Ireland became aware of a cybersecurity incident. The HSE was alerted by its external partner, the professional services firm EY, which was working with the HSE on a project to automate part of its recruitment process. EY reported that it had been impacted by a cyber-attack targeting the technology product MOVEit, which EY was using to support its work for the HSE. The attack was identified as criminal in nature and part of an international campaign of significant scale. Immediately upon notification, HSE teams began working closely with EY over the subsequent hours to conduct an urgent analysis to determine the precise impact on HSE data.

The analysis concluded that it was likely information pertaining to no more than twenty individuals involved in HSE recruitment processes had been accessed by the attackers. The compromised data was related to recruitment panels and consisted of names, addresses, mobile phone numbers, and the individual's place on a recruitment panel. More general information concerning the specific posts being recruited was also involved. A critical finding from the investigation was that no other personal identification data, such as national identification numbers, and no financial data were included in the dataset that was accessed. Importantly, no patient data was involved in this breach whatsoever. The HSE's own internal ICT environment was not attacked; the compromise occurred entirely within the supply chain through the third-party software utilized by EY.

The attack was attributed to the ransomware gang known as Clop. This group exploited a zero-day vulnerability within the MOVEit Transfer secure file transfer application. This vulnerability provided the attackers with a method to infiltrate the networks of companies using the software and exfiltrate data. The incident affecting the HSE and EY was part of a much broader supply chain attack that impacted a wide array of organizations globally. Other prominent victims included users of the payroll services provider Zellis. The breach at Zellis led to the compromise of data belonging to over 100,000 employees from major companies including the British Broadcasting Corporation (BBC), the retailer Boots, and the airline Aer Lingus.

In response to the incident, the HSE engaged with relevant authorities. This included formally informing the Irish Data Protection Commission (DPC) of the breach in compliance with regulatory obligations. The organization also initiated the process of directly contacting the small number of individuals whose data was likely accessed to inform them of the situation. HSE CEO Bernard Gloster reviewed the incident with senior officials on the morning of June 9. He publicly stated that while any breach is regrettable, the exposure for the HSE appeared to be quite small given the limited scope of data and individuals affected. He also noted that there was no evidence as of that date indicating the stolen HSE data had been published or offered for sale on the dark web, a activity that EY was actively monitoring.

Concurrently, the Clop ransomware gang pursued an extortion campaign against the wider victim set of the MOVEit attack. The group issued an ultimatum via the dark web, stating that companies affected by their attack needed to establish contact with them by June 14. The threat associated with this deadline was that if contact was not made, the stolen personal data would be leaked online. In a specific addendum to this threat, Clop claimed that all individuals who worked for local or national government or police services were exempt. The gang addressed this group directly, telling them not to worry and asserting that their data had been erased and that there was no interest in exposing such information. However, the legitimacy and sincerity of this particular claim were publicly called into question by security observers. The HSE, as a national health service, would potentially fall under the category of organizations Clop claimed to exempt, but no specific communication from Clop regarding the HSE was detailed in the available information. The primary technical impact on the HSE was the confirmed access and exfiltration of a limited dataset from a third-party system, with no ransomware deployment or encryption of HSE systems reported. The business impact was limited to the recruitment project automation work being conducted with EY, and the reputational impact was mitigated by the relatively small scale of the data breach compared to other victims in the same attack campaign. The organizational response focused on analysis, regulatory compliance, and individual notification.