Four years later, Irish health service offers €750 to victims of ransomware attack

Remember when a notorious ransomware gang hit the Irish Health Service back in May 2021? Four years on, and it seems victims who had their data exposed will finally receive compensation.

The attack against the Health Service Executive (HSE) began when the Russia-linked Conti ransomware group tricked a user into downloading a boobytrapped Microsoft Excel file. The anti-virus software running on the HSE's computer had not been properly updated, and failed to block the malware from running.

The security breach forced the HSE to shut down its entire IT infrastructure. Hospitals had to resort to using pen and paper, patients' appointments were cancelled, and the National Maternity Hospital warned of "significant disruption" to its services.

Patients did not just find themselves facing lengthy delays to their treatment. They also saw sensitive information related to them published online by the hackers.

The Conti gang warned that it would sell or publish the stolen data if a $19,999,000 ransom was not paid - but did eventually provide a free decryption tool to help the hospital recover its encrypted files.

A later PwC report found that the HSE had been woefully unprepared, with unpatched computers, outdated operating systems, and a "frail" IT infrastructure.

The Health Service Executive (HSE) has now made an offer of €750 to victims whose personal data was compromised in what was declared the largest ever cyber attack against a health service computer system in Ireland.

According to media reports, a Cork-based solicitors firm representing more than 100 people affected by the data breach received the offer from the HSE last Friday.

O'Dowd Solicitors said that it was "the first time in public (or private that I know of) the HSE have acknowledged that they will need to compensate individuals impacted by the breach," and described the offer as a "significant development."

An additional €650 per person has been offered to cover victims' legal costs.

€750 may not sound like much money for a breached organisation to offer to impacted victims, but over 90,000 people were notified by the HSE that their data was exposed, meaning the total bill could in theory be in excess of €100 million if similar deals are made.

The HSE claims that that after more than four years of investigation and monitoring, it has found "no evidence that any of the illegally accessed information has been used in scams or fraud."