Cyber Incident Victim: Health Service Executive

On May 14, 2021, Ireland's Health Service Executive (HSE) shut down all IT systems following a confirmed Conti ransomware attack. The breach was identified as a human-operated attack targeting data access, with HSE Chief Executive Paul Reid publicly attributing it to the Conti ransomware operation. Conti, a private Ransomware-as-a-Service (RaaS) operation linked to Ryuk ransomware through shared code and distribution channels, typically infiltrates enterprise networks, spreads laterally to obtain domain admin credentials, and deploys payloads via fileless techniques like reflective DLL injection. The variant used against HSE appended the .FEEDC extension to encrypted files. Conti had previously targeted Scotland’s environmental agency in December 2020, leaking stolen data. HSE’s immediate containment response involved isolating systems to prevent further compromise while collaborating with security partners to assess the intrusion. No ransom demand had been communicated to HSE at the time of Reid’s initial statements.

The attack disrupted non-emergency healthcare services, though emergency departments and the National Ambulance Service maintained normal operations without impact to dispatch or call handling. Specific hospitals, including Rotunda Maternity Hospital and Cork University Hospital, canceled appointments due to IT outages. COVID-19 vaccination appointments and scheduled tests proceeded unaffected, but HSE suspended its ability to refer individuals for COVID-19 testing until systems were restored, directing symptomatic patients or close contacts to prioritize walk-in testing centers. HSE publicly apologized for service interruptions and committed to providing updates as the investigation progressed. Internal security teams focused on determining the attack’s full scope and operational consequences, with no disclosure of initial access vectors or data exfiltration details in the immediate aftermath.