Tusla - An Ghníomhaireacht um Leanaí agus an Teaghlach - Child and Family Agency
Home  /  Cyber-Attack Notifications

Cyber-Attack Notifications

To request copies of your information that was illegally accessed in the cyber-attack on the Health Service Executive (HSE) May 2021

If you have received a letter from us, explaining that some of your personal information has been affected by the cyber-attack on the Health Service Executive (HSE) in May 2021, you do not need to do anything.

However if you wish to request a copy of the documents accessed and copied that relate to you or your minors, please select the form/s that applies to you from the links below, print it out, complete it, and send it with the required photocopy of photographic ID, and/or the required guardianship verification documentation to the following address:

Tusla, PO BOX 13572, Naas, Co Kildare

Please note you may have received more than one letter from Tusla in which case you may require both a form for you called “Data Request Form for a Notified Individual” AND a form to request a copy of the documents that relate to your family called “Data Request Form for a Notified Parent/Guardian”.

If you have any questions in relation to the above, you can call us on freephone 1800 66 55 44.

                                   Data Request Form for a Notified Individual:                                Data Request Form for a Notified Parent/Guardian:

 

Background to the cyber-attack

What do I need to do?

If you are worried about your data

What happened to the stolen data?

Tusla systems and security improvements following the cyber-attack

What data does Tusla collect?

What are my rights when it comes to my data?

 

Background to the cyber-attack

On 14 May 2021, the Health Service Executive (HSE) was the victim of a major ransomware cyber-attack which affected its IT systems.  At that time, the HSE provided several IT services to Tusla. During the cyber-attack, some personal information belonging to a number of people who have been involved with Tusla services, and a small number of Tusla employees, was illegally accessed and data was copied.

The Tusla Information and Communications Technology (ICT) department worked closely with the HSE and security experts to contain the cyber-attack. Tusla and the HSE were assisted by the Garda National Cyber Crime Bureau, the International Criminal Police Organisation (Interpol) and the National Cyber Security Centre to support the response. The Data Protection Commissioner (DPC) was also notified.
                                                                                                                                                                                                                                  Back to top

What do I need to do?

Tusla has developed a notification process following consultations with the Data Protection Commissioner and we have written to people affected by the cyber-attack in line with GDPR guidance.

If you have received a letter, it will contain clear instructions on what to do next.

If we did not write to you

If you did not receive a letter, you do not need to do anything. 

If you have received a letter from us, we will provide you with as much detail as we can about your personal information that was affected by the cyber-attack.

Notification Process

Gardaí worked with international law enforcement agencies to investigate the cyber-attack as soon as it happened. Their investigation is still on-going.

At the end of December 2021, they provided us with a copy of the files that were illegally accessed and copied.

Over the past year, we have carefully reviewed the information that was illegally accessed and copied in accordance with GDPR guidance, and guidance from the Data Protection Commission. This was an extensive process which involved a careful review of all records and documents to ensure we identified the people affected. We have also had to ensure that we have confirmed the details and addresses of the people we will be writing to.
                                                                                                                                                                                                                                  Back to top

 

If you are worried about your data

There is currently no evidence of any scams linked to this cyber-attack. However, cyber-crime is common and is becoming more advanced. Some of the most common types of scams involve the use of false e-mails, calls or texts pretending to be from real organisations.

Click here for information on keeping yourself safe from scams and fraud attempts.

Throughout all of your contact with us you can expect that we will be supportive.
                                                                                                                                                                                                                                  Back to top

 

What happened to the stolen data?

Following the cyber-attack, we have taken and continue to take every necessary step to protect the data of anyone affected by this cyber-attack, and all personal information (data) that we hold. There is no evidence that any of the personal information that was stolen from Tusla has been published online, on the ‘dark web’, or elsewhere, and Tusla and the HSE are continuing to monitor the internet and the dark web with the assistance of cyber-security experts.

As a further layer of protection, on the 20th of May 2021, a High Court Order was also secured restraining any sharing, processing, selling, or publishing of data stolen as part of the cyber-attack.
                                                                                                                                                                                                                                  Back to top

 

Tusla systems and security improvements following the cyber-attack

All IT systems that support Tusla services were restored by the 30th of June 2021. Much of Tusla’s IT infrastructure has since undergone a migration to Tusla-owned and secured systems, of which cyber-security is a cornerstone. We are monitoring and regularly assessing our systems for vulnerabilities and opportunities for improvement with the assistance of cyber security experts, to help protect the data that we hold from any future attacks.
                                                                                                                                                                                                                                  Back to top

 

What data does Tusla collect?

Tusla processes personal data to carry out the functions assigned to the Agency by the Child and Family Agency Act 2013 and other relevant legislation, to promote the development, welfare and protection of children and families.

We may use the information we have about you when it is permitted or required by law to provide the following services, and to comply with legal and reporting obligations in relation to the following services:

  • Child Protection and Welfare Services
  • Alternative Care Services (including but not limited to, Adoption, Foster Care, Residential Care, Special Care and After Care Services)
  • Family and Community Support Services
  • Education Support Services
  • Early Years Services
  • Domestic, Sexual and Gender Based Violence Services

If you would like further information, please read our Data Protection Notice which describes how we use the personal data that we collect and receive about you in more detail.
                                                                                                                                                                                                                                  Back to top

 

What are my rights when it comes to my data?

Individuals whose personal data Tusla processes may exercise their General Data Protection Regulation (GDPR) rights as set out in the summary below:

  • Right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights.
  • Right of access: You have the right to obtain access to your personal data (information).
  • Right to rectification: You’re entitled to have your personal data corrected if it is inaccurate or incomplete.
  • Right to erasure: This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your personal data where there’s no compelling reason for us to retain it.
  • Right to restriction of processing: In certain situations, you have the right to ‘block’ or not allow further use of your information.
  • Right to object: You have the right to object to certain types of processing of your personal data.

If you would like further information, our please see our Data Protection Notice which provides more detail in relation to your GDPR rights.
                                                                                                                                                                                                                                  Back to top

WEBSITE BY CREATIVE INC & Kooba Web Design Dublin