On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

On 19 May, the Financial Times reviewed private data for twelve individuals which had appeared online as a result of the breach.

[19] The National Cyber Security Centre identified the penetration testing tool Cobalt Strike, sold by American IT company HelpSystems, as being used to move through and infect HSE and Department of Health systems, to run executable files, and to deploy a variant of the Conti ransomware.

[14][20] Cobalt Strike Beacon was detected on infected systems, which allowed them to be controlled and for software to be deployed remotely.

[20] The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.

[24] The Chief Operations Officer of the HSE – Anne O'Connor – said on 14 May that some cancer and stroke services had been affected and that "the situation will be very serious if it continues into Monday [17 May]".

[28][29] On 19 May, the Financial Times reviewed "samples" of private data of twelve individuals that was published online, including admission records and laboratory results for a man admitted to hospital for palliative care.

In response, the National Cyber Security Centre stated criminal gangs "habitually release stolen information as a means of pressurising organisations into paying a ransom".

[33] The Garda National Cyber Crime Bureau received the data from the United States Department of Justice through a mutual legal assistance treaty.

[33] The HSE worked with the National Cyber Security Centre, the Garda Síochána, Irish Defence Forces, as well as various partners domestically and internationally, including Europol and Interpol.

[41][42] American cybersecurity firms McAfee and FireEye were contracted by the HSE after the attack to mitigate the damage, and to monitor dark web sites for leaked data.

[43] On 16 May, it was reported that the Department of Social Protection came under "sustained and fierce attack" but the highly organised criminal group were unable to breach the security.

[46][47] On the same day, it was reported that the organised cyber crime group provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.

[48][49] Meanwhile, the public was advised by Gardaí to be aware of a number of call and text scams in the wake of the cyber attack amid warnings the delivery of care in the health service would be a high risk for weeks;[50][51] as of 24 May, the Garda Síochána have described any calls threatening the release of information as "opportunistic", stating they do not have access to private data.

[52] On 27 May, the Chief Executive of the HSE – Paul Reid – said that the cost of the cyber attack on its IT systems could exceed €100 million.

Army Reservists were particularly useful to this effort due to their cybersecurity skills and experienced gleaned from the private sector during their day jobs.

[13] HSE CEO Paul Reid said that the system had not been strategically designed, but was the result of amalgamation of health boards, hospital groups and Community Healthcare Organisations.

[39][57][58] A preliminary investigation by the NCSC showed the use of remote access tool Cobalt Strike, sold by American technology company HelpSystems,[59] to infect systems and execute the ransomware payload.

[20] According to RTÉ News, a digital note from the cyber crime group believed to be responsible was left on the Department's IT systems, similar to the one discovered at the HSE.

[65] On 25 June 2021, High Court judge Tony O'Connor was told that approximately 27 files stolen from the HSE were placed on a malware analysis service VirusTotal in late May.

The HSE sought the return of the stolen data and an explanation to the link location but the Financial Times indicated it had received the information from a confidential source which they refused to reveal.

[67] On 20 May 2021, the HSE had obtained a court order restraining any processing, publishing, sharing or selling of stolen data.

When the Financial Times received a copy of the order, they handed over the information they got from the source to the HSE computer security advisers.

The judge, on an ex parte basis, granted counsel permission to serve short notice of the proceedings on the defendants and resumed the matter the following week.