HSE Cyber-Attack Notification Programme Update from Tusla
- As a result of the cyber-attack on the HSE in May 2021, some personal information belonging to a number of people who have been involved with Tusla services, and a small number of Tusla employees, was illegally accessed and data was copied.
- There is currently no evidence that any of the Tusla information that was stolen has been published online, on the ‘dark web’, or elsewhere, and we are continuing to monitor the situation with the assistance of cyber-security experts.
- Tusla is announcing the commencement of its programme to contact people whose information was illegally accessed and copied during the cyber-attack, in line with GDPR guidance, with notifications expected to be completed by November 2023.
- Tusla is working to verify the contact details of approximately 20,000 people and will be sending letters by means of registered post to verified addresses.
- If a person receives a notification letter from Tusla it will contain instructions on what to do next. If a person does not receive a letter, they do not need to contact Tusla or do anything at this time.
Tusla – Child and Family Agency is today announcing the commencement of a notification programme to contact people whose personal information was affected by the criminal cyber-attack on Health Service Executive (HSE) servers, which took place in May 2021.
At the time of the cyber-attack, the HSE provided IT services to Tusla. Tusla worked closely with the HSE and security experts to contain the cyber-attack. Subsequently, Tusla and the HSE were assisted by the Garda National Cyber Crime Bureau, the International Criminal Police Organisation (Interpol) and the National Cyber Security Centre to support the response. A High Court order was secured restraining any sharing, processing, selling, or publishing of data stolen as part of the cyber-attack. The Data Protection Commissioner (DPC) was also notified.
At the end of December 2021, An Garda Síochána provided Tusla with a copy of the files that were illegally accessed and copied. Tusla has undertaken an extensive process to carefully review all of this information, to identify individuals affected, in accordance with GDPR guidance, and guidance from the Data Protection Commission.
Some personal information belonging to a number of people who have been involved with Tusla services, and a small number of Tusla employees, was illegally accessed and data was copied.
Over the coming months, Tusla will be notifying people who were affected in writing, in line with GDPR guidance. The notification programme has been developed following consultations with the Data Protection Commissioner.
A dedicated response team has been created to manage the process, and to provide support and guidance to the people who receive a notification letter.
Tusla is treating this process with the utmost sensitivity and consideration, and people who receive a letter will have the choice of meeting face to face with a case worker or going directly to a portal to access their personal information that was affected, should they wish to do so.
Speaking about the commencement of the notification programme Kate Duggan, Director of Services & Integration, Tusla, said, “This week Tusla will be commencing its programme to notify people whose personal information was illegally accessed and copied as part of the cyber-attack on the HSE. We have seen no evidence that any of the Tusla information that was affected has been published on the internet or dark web, and we are continuing to monitor the situation with the assistance of cyber-security experts. There is also no evidence that any of the Tusla information has been involved in scams or other fraudulent activity.
“We sincerely regret the impact this criminal cyber-attack has had on people who have been involved with Tusla services, and on our teams across the country, and we will be apologising to each person we write to as part of our notification process.
“We have worked hard to create a process that is transparent, empathetic and supportive for those who have been affected, and we will offer each person we write to the choice to call our dedicated team for support and guidance, or, to meet face-to-face with a case worker, should they wish to do so.
“We acknowledge that it has taken some time for the commencement of this notification programme, however it was crucial that each record that was affected by the cyber-attack was carefully reviewed to identify the people affected. We also have to ensure that letters are being sent to verified addresses. Notifications will continue over the coming months, and we ask for understanding and patience as we continue to work through this complex process.”
Given the nature of the work that Tusla does, in terms of personal social service provision across a range of areas, the types of personal information affected include names, addresses, contact phone numbers, correspondence with service users, various reports, and referrals made to Tusla. For staff, information that was affected includes documents such as HR forms submitted in relation to leave and files relating to staff travel expenses. Tusla has considered the individual needs of the people affected by the cyber-attack and will take account of these when notifying them.
All IT systems that support Tusla services were restored by the 30th of June 2021, and much of Tusla’s IT infrastructure has since completed a migration to Tusla-owned and secured systems, of which cyber-security is a cornerstone. Tusla has worked closely with An Garda Síochána, the National Cyber Security Centre, and various other specialist national and international agencies to strengthen our IT security and we continue to assess our systems for vulnerabilities. At the start of 2022 Tusla commenced a €13m investment in cyber-security infrastructure, across device, email, and network security.
More information on Tusla’s notification programme can be found at www.tusla.ie/dataprotection