DUBLIN — A criminal gang that attacked Ireland’s medical system has provided a decryption key that may allow hospitals to regain patients’ frozen records, the government announced Thursday night.
Government officials have identified those believed to be responsible as a Russian cybercrime gang called Wizard Spider based in St. Petersburg.
“No ransom was paid by the Irish state,” said Health Minister Stephen Donnelly, who warned it could be weeks before hospitals and clinics regain full access to digital communications and patient records.
Ireland’s Health Service Executive (HSE) said an externally contracted cybercrime firm was testing the decryption key in a virtual environment to determine whether it worked and contained no additional hidden malware.
The government warned that the ransomware gang may sell the stolen records of hundreds of thousands of patients to other criminals, who could use confidential data to try to defraud or blackmail individuals.
Green Party leader Eamon Ryan, the government minister responsible for communications, warned citizens that fraudsters might call them seeking their private data. He said the government would set up a telephone helpline for people to report suspicious communications.
The government also secured a Dublin High Court injunction Thursday night forbidding the publication or sharing of any patient or hospital data online. That move followed a Financial Times report that some stolen records have already been published online on the dark web.
Judge Kevin Cross approved an order forbidding the public transmission of any material stolen in pursuit of what he called a “particularly heinous form of blackmail.”
Lawyers for the government said a primary motivation in seeking the order was to put Google, Twitter and Facebook — all of which have bases in Dublin — on notice that they must not allow such stolen data to be published or shared on their platforms.
In an accompanying court affidavit, the HSE’s interim chief information officer, Fran Thompson, said the hackers had gained access to the medical system’s central servers one to two weeks before issuing ransom demands on May 14.
The hackers launched a similar attack on the Department of Health around the same time but failed to breach security on its servers.
Computer security experts have slated the HSE’s infrastructure, noting that many of the approximately 80,000 devices connected to central servers still used outmoded operating systems, including Windows XP, which Microsoft stopped supporting with security updates in 2014.
Donnelly said the HSE had spent more than €300 million improving its IT infrastructure and security since 2017, when a report found it was vulnerable to attack. He said some Irish law firms were now advertising for clients and “licking their lips at the thought of being able to sue the state.”
Many hospitals have canceled non-emergency procedures over the past week as practices returned to 1980s paper-based systems. The HSE said that, for example, about half of chemotherapy appointments had been cancelled nationwide.
At the Temple Street children’s hospital in central Dublin, red signs reading “Do not switch on any IT equipment until further notice” have been placed at receptions and workstations for the past week.
Its clinical director, Adrienne Foran, said the cyberattack had “affected everything we do in the hospital,” forcing doctors unable to access electronic records to quiz parents about their child’s medical history.