Medical and personal information about Irish patients stolen by hackers last week is now being shared online, screenshots and files seen by the Financial Times show.
The records offered online by hackers to further their demands for almost $20m in ransom also include internal health service files, such as minutes of meetings, equipment purchase details and correspondence with patients.
Ireland’s Health Service Executive (HSE) has been trying to establish how many patients’ data was compromised by the attack, which forced Ireland to shut down most of the IT systems behind hospitals that serve millions.
The files seen by the FT are the first confirmation that patients’ personal data has been leaked as a result of what Ireland’s leader Micheál Martin described on Tuesday as a “heinous attack”.
The files were offered by the ‘ContiLocker Team’ as samples to prove that they had confidential information, according to screenshots seen by the FT. Conti is the name of the type of cyber attack perpetrated on the HSE. It is characterised by taking control of systems, and stealing data, and is associated with a group operating out of Russia and eastern Europe.
The HSE patient and business files were offered in a chat between ContiLocker Team and an unnamed user, which can be viewed at separate links on the internet and dark web.
The chat includes a link to “samples” of the data Conti has, along with a password to access the samples. The files were emptied when the FT examined the link, but the names of the empty files corresponded to files shared with the FT by a person who accessed the link earlier in the week.
The person said the files had been available for several days, and were found after some details of the attack were shared on a public database used by cyber security professionals.
The 27 files include personal records of 12 individuals. One file reviewed by the FT includes admission records and laboratory results for a man who was admitted to hospital for palliative care. The broad details in that file matched a subsequent death notice seen by the FT.
Earlier on Tuesday, Stephen Donnelly, Ireland’s health minister, told an Irish radio show that police were examining “heavily redacted materials” that had been published online, and that Ireland had “no verification that what has been posted is real data”.
In the chat, ContiLocker Team claimed the hackers had stolen 700 gigabytes of data including patients’ home addresses and telephone numbers, as well as staff employment contracts, payroll data and financial statements.
“The good news is that we are businessmen. We want to receive ransom for everything that needs to be kept secret,” ContiLocker Team added, naming a figure of $19.99m.
Asked about the files seen by the FT, the Irish police said: “An Garda Síochána does not comment on unverified content on social media or provide specific commentary on any ongoing criminal investigation.”
Ireland’s National Cyber Security Centre, which is leading Ireland’s investigation into the hack, told the FT that criminal gangs “habitually release stolen information as a means of pressurising organisations into paying a ransom”.
“The National Cyber Security Centre is working with the Garda National Cyber Crime Bureau and international partners to identify any such material, verify it and then take all available measures to limit the exposure of the personal data online.”
On Tuesday, Donnelly said the hack was “not just on the HSE, it’s an attack on the people of Ireland”, describing the effects as “heartbreaking”. Doctors have warned that patients will suffer if they continue to be unable to process laboratory results and are forced to postpone appointments.