Aodhan O'Faolain
A Cork-based hospital has secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data believed stolen from its computer systems in cyberattack.
The orders were made in favour of the Mercy Hospital Cork against “persons unknown” responsible for accessing the hospital's IT system, that is separate from systems operated by the HSE, and planting a ransomware note on it as discovered by the hospital on May 14th last.
The orders, which are similar to those obtained by the HSE last week, also apply to any persons with knowledge of them.
The hospital has brought its own proceedings after ransom messages were found on its own private IT systems, including its radiology and emergency department's systems.
Similar injunctive orders obtained by the HSE last week do not cover the hospital's own private data, the court heard.
The orders were granted by Ms Justice Siobhan Stack on Tuesday, who also placed an embargo on the reporting of the application to allow the hospital serve notice of the proceedings on the proposed defendants.
Ransomware note
A ransomware note, demanding money, found on the hospital's own private computer system included a link which purports to be a way to contact the hackers.
The court heard that it is proposed to serve the proceedings on the unknown hackers via the link.
Seeking the orders Brian Foley SC for the hospital said that it had brought separate, but similar, proceedings from those launched by the HSE.
This is because any data taken from private systems within the hospital that are separate from the HSE, would not be covered by the orders obtained by the HSE in its action.
The hospital is a private voluntary hospital, that hosts public patients and has access to HSE data.
Counsel said that as was the case with the HSE the hospital discovered on May 14th that its' own systems had also been subjected to a "heinous criminal action of accessing the hospital's private data."
There was "no possible defence to the proposed defendant's actions," counsel said.
Darkweb
The orders, he said were needed mainly to prevent anything that is published on the darkweb from being published on sites hosted by Internet Service Providers.
Counsel said obtaining's orders against those behind the cyberattack was "not a futile exercise".
While there was not much of a reality to finding out who these persons are, a court order would ensure Internet Service Providers would take down and remove any data stolen from the hospital's systems published on publicly accessible platforms or websites.
The orders prevent the intended defendants selling, processing, publishing, sharing or making available to any member of the public, the stolen HSE data, which includes private medical data of HSE patients.
They also restrain possession, transfer or disclosure of the information obtained from the HSE’s system without the HSE’s consent and require the “persons unknown” to identify themselves by providing names, postal addresses and email addresses.
Russian-based hackers
The orders were sought in intended proceedings by the hospital, which include claims for damages for breach of confidential information, fraud and deceit, conspiracy and conversion of the data which is believed to have been accessed by Russian-based hackers based in Russia.
In a sworn statement to the court the hospital's ICT Manager Peter O'Callaghan said like the HSE's IT system , it was now apparent that the hospital's own systems have been accessed and corrupted by the hackers.
This includes the hospital's own 'Intelligo' system which deals with payroll and human resources. That system contains data such as staff bank account details.
He said a ransomware note found on their private computer systems, that are not linked to the HSE systems, warning the hospital that “YOU SHOUD BE AWARE! Just in case, if you ignore us. We’ve downloaded your data and are ready to publish.”
The note also said that the hospital files were currently encrypted by Conti ransom software and warned it not to use any recovery software, he added.
In response to the attack, he said the hospital has been able to recover some of its systems.
He said at this stage and based on the ransomware note, it was impossible to say that the cyberattack on the HSE had not accessed the hospital's purely private data.
While the HSE may be the hackers' main target he said that given the threatening note on their own systems it was highly likely that data has been extracted and would be used in a criminal act by the hackers.
In her ruling Ms Justice Stack said she was satisfied to make orders, sought on an ex-parte basis, by the hospital. The orders, the judge said, were "workable, have purpose and were not futile."
The case was adjourned to a date in July, with liberty to apply to bring the proceedings back before the court should the need arise.