Over 20 people either uploaded or downloaded confidential information stolen in last month's cyberattack on the HSE onto a web service provided by a Google-owned internet security firm, the High Court has heard.
Mr Justice Tony O'Connor was told on Friday that late last month approximately 27 files stolen from the HSE were downloaded onto a malware analysis service 'VirusTotal' which is owned and run by Chronicle Security Ireland The HSE applied to the High Court for an order to allow them access to information regarding the people who uploaded or downloaded the stolen filesLtd and its US-based parent Chronicle LLC.
The stolen material included sensitive patient information, including correspondence, minutes of meetings, and corporate documents, the HSE claims.
It has since been deleted from the service provided by Chronicle, whose ultimate parent is the internet giant Google. However, the HSE says the material was downloaded 23 times before it was removed on May 25th last.
The defendants have said in correspondence that they want to assist the HSE as much as they can, but for data protection reasons cannot hand over material unless a court orders them to do so.
Court order
As a result, the HSE is seeking what is known as a 'Norwich Pharmacal' order against the two companies, requiring them to provide information about those who uploaded or downloaded the material in question.
In a sworn statement to the court, the HSE's national director for operation performance and integration, Joe Ryan said the health service became aware of an article published by the Financial Times last month, which referred to some stolen data and a link used to access the data online.
The HSE sought the return of the data referred to in the article and an explanation as to the location of the link referred to in the article.
Mr Ryan said the FT indicated it had obtained the stolen data from a confidential source which it refused to reveal.
Following the cyber-attack, the HSE obtained a High Court order on May 20th restraining any sharing, processing, selling or publishing of data stolen from its computer systems.
When the FT received a copy of the May 20th order it handed over the information obtained from the source to the HSE's cybersecurity advisors, Mr Ryan said.
'Virustotal'
Mr Ryan said that following an analysis of the material received from the FT it was discovered that the stolen documents were uploaded on the defendants 'Virustotal', a service designed to screen documents to ensure they are virus free.
After contacting the defendants, Mr Ryan said the stolen material was deleted from the 'Virustotal' platform.
He said that the HSE was also informed that before the material was removed a total of 23 subscribers to 'Virustotal' had downloaded the stolen data.
As part of its ongoing efforts against those behind the cyberattack, the HSE sought information about those persons, as well as any information on the parties that had uploaded the material on the service.
However, the HSE was informed that arising out of data protection concerns the defendants require a court order in order to comply with the request to deliver up the information sought, Mr Ryan added.
Seeking the disclosure order, John Newman SC, with Michael Binchy Bl for the HSE, said that the matter was urgent.
Counsel said at this stage it is hoped the order sought by the HSE could be finalised when the matter next comes before the court.
Counsel said Chronicle's lawyers have said in correspondence that it is unlikely to oppose any order, in an agreed form, requiring it to disclose information sought by the HSE.
After considering Mr Newman's submissions Mr Justice O'Connor, on an ex-pate basis, granted the HSE permission to serve short notice of the proceedings on the defendant companies.
The matter will come back before the court next Tuesday.