Cyberattack: HSE seeks court orders to help identify those who accessed stolen files

20 people uploaded or downloaded confidential data onto a service by Google-owned security firm

The stolen material included sensitive patient information including correspondence, minutes of meetings, and corporate documents, the HSE claims. Photograph: iStock
The stolen material included sensitive patient information including correspondence, minutes of meetings, and corporate documents, the HSE claims. Photograph: iStock

More than 20 people either uploaded or downloaded confidential information stolen in the cyberattack on the HSE onto a web service provided by a Google-owned internet security firm, the High Court has heard.

Mr Justice Tony O’Connor was told on Friday that, late last month, approximately 27 files stolen from the HSE were downloaded onto a malware analysis service VirusTotal, owned and run by Chronicle Security Ireland Ltd and its US-based parent Chronicle LLC.

The stolen material included sensitive patient information including correspondence, minutes of meetings, and corporate documents, the HSE claims.

It has since been deleted from the service provided by Chronicle, whose ultimate parent is Google, but the HSE says the material was downloaded 23 times before it was removed on May 25th last.

READ SOME MORE

The defendants - Chronicle Ireland and its US parent - have said in correspondence they want to assist the HSE as much as they can, but for data protection reasons cannot hand over material unless a court orders them to do so.

As a result, the HSE is seeking ‘Norwich Pharmacal’ orders against the two companies requiring them to provide information about those who uploaded or downloaded the material in question.

The orders would require the defendants to provide the HSE with the, as of now, unknown persons’ email addresses, phone numbers, IP addresses or physical addresses.

In an affidavit, the HSE’s national director for operation performance and integration Joe Ryan said it became aware last moth of an article published by the Financial Times (FT) which referred to some stolen data, and a link used to access the stolen data online.

The HSE sought the return of the data referred to in the article and an explanation as to the location of the link referred to but the FT indicated it had obtained the stolen data from a confidential source which it refused to reveal.

Following the cyber-attack, the HSE obtained a High Court order on May 20th last that restraining any sharing, processing, selling or publishing of data stolen from its computer systems.

Having received a copy of that order, the FT handed over the information obtained from the source to the HSE’s cyber-security advisors, Mr Ryan said.

Mr Ryan said, following analysis of the material received from the FT, it was discovered the stolen documents were uploaded on the defendants’ Virustotal, a service designed to screen documents to ensure they are virus free.

After contacting the defendants, Mr Ryan said the stolen material was deleted from the Virustotal platform. The HSE was informed that, before the material was removed, 23 subscribers to Virustotal had downloaded the stolen data.

As part of its ongoing efforts against those behind the cyberattack the HSE sought information about those persons and the parties that had uploaded the material on the service but was informed, due to data protection concerns, the defendants require a court order in order to comply with the request to deliver up the information sought.

Jonathan Newman SC, with Michael Binchy BL for the HSE, told the judge on the matter was urgent but it was hoped the order sought by the HSE could be finalised when the matter next comes before the court.

He said Chronicle’s lawyers had indicated it is unlikely to oppose any order, in an agreed form, requiring it to disclose information sought by the HSE.

Mr Justice O’Connor, on an ex-parte basis, granted counsel permission to serve short notice of the proceedings on the defendants and returned the matter to next week.