Full Report
The Health Service Executive has started offering compensation to victims of the HSE cyberattack that occurred in May 2021. The HSE has not confirmed the amounts involved but it is understood that the approximately 620 people taking legal action will each be offered €750. They will also be offered €650 towards their legal costs.
Analysis Summary
# Incident Report: HSE 2021 Ransomware Attack and Subsequent Compensation Offer
## Executive Summary
In May 2021, the Health Service Executive (HSE) in Ireland suffered a major ransomware attack attributed to the Russian hacking group Conti. The attack resulted in widespread disruption and illegal access and copying of information held on HSE computer systems, affecting over 90,000 individuals. As of late 2025, the HSE is moving to resolve legal claims by offering approximately 620 claimants €750 in damages plus €650 for legal costs as a full and final settlement.
## Incident Details
- **Discovery Date:** May 14, 2021 (Date of the attack/widespread disruption)
- **Incident Date:** May 2021
- **Affected Organization:** Health Service Executive (HSE)
- **Sector:** Healthcare
- **Geography:** Ireland
## Timeline of Events
### Initial Access
- **Date/Time:** May 14, 2021 (Approximate start of the attack)
- **Vector:** Ransomware attack (Specific initial vector not detailed in source, likely phishing or exploitation).
- **Details:** A major ransomware attack caused widespread disruption.
### Lateral Movement
- **Details:** Cybercriminals illegally accessed and copied information held on computer systems. (Details on internal movement are not provided in the source text).
### Data Exfiltration/Impact
- **Details:** Information held on computer systems was illegally accessed and copied. The attack caused major service disruption. The final number of affected individuals contacted by the HSE was 90,936.
### Detection & Response
- **Details:** The attack caused widespread disruption, implying detection occurred when services failed or systems were encrypted. The HSE has since invested significantly in its cyber defence capabilities. By November 2025, the HSE began actively engaging with legal representatives regarding settlement offers for legal proceedings.
## Attack Methodology
- **Initial Access:** Ransomware deployment (Attributed to Conti group).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Gained access to and copied data from computer systems.
- **Collection:** Data (information) was illegally copied from HSE systems.
- **Exfiltration:** Data was copied (implies exfiltration prior to/during encryption).
- **Impact:** Widespread disruption to services and potential release/exposure of sensitive data.
## Impact Assessment
- **Financial:** Compensation offers are being made (€750 per claimant + €650 legal costs for approximately 620 claimants). Significant unknown costs related to remediation and system upgrades.
- **Data Breach:** Information held on computer systems was illegally accessed and copied. Approximately 90,936 individuals were contacted regarding the breach.
- **Operational:** Caused "major disruption" across the HSE network.
- **Reputational:** Led to significant legal action against the HSE (approx. 620 proceedings filed by November 2025).
## Indicators of Compromise
*(Note: Specific IoCs are not mentioned in the provided text.)*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized encryption/system disruption consistent with ransomware activity.
## Response Actions
- **Containment measures:** Implied immediate actions taken at the time of the May 2021 attack (not detailed).
- **Eradication steps:** Not detailed.
- **Recovery actions:** The HSE has significantly invested in its cyber defence capabilities since the attack.
- **Legal Resolution:** Initiated settlement procedures for legal claims, offering compensation to victims.
## Lessons Learned
- The HSE was operating on a **"frail IT system."**
- The organization **"did not have proper cyber expertise or resources"** leading up to the incident.
## Recommendations
- Harden critical IT infrastructure, addressing identified frailties.
- Significantly increase investment and staffing in dedicated, high-level cyber expertise and resources to meet modern threat landscapes.
- Implement robust, multi-layered defense mechanisms to prevent ransomware intrusion and lateral movement.