HSE Ireland Conti ransomware national healthcare shutdown (2021)
Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded €100 million.
- Victim
- Health Service Executive (HSE) of Ireland
- Loss
- $110.0M
On 14 May 2021, the Health Service Executive (HSE) — Ireland's national public-health service — was hit by Conti ransomware. To stop the spread, the HSE shut down all of its IT systems, nationwide. Hospitals reverted to paper. Appointments were cancelled across the country. It is the largest known ransomware attack against a public-health system anywhere in the world.
What happened
The intrusion began on 18 March 2021 with a textbook phishing attack: a Microsoft Excel attachment delivered to one user, opened, and executed. Conti, operated by the Russian-linked Wizard Spider group, established quiet access and dwelled in the network for two months before detonating its ransomware payload on 14 May.
The HSE's response was to disconnect its entire IT estate. Faced with the alternative — letting the ransomware spread to systems supporting cancer treatment, emergency departments, and maternity care — the HSE chose the operational catastrophe of going dark. Hospital workers reverted to pen and paper for prescriptions, lab requests, and patient tracking. The National Maternity Hospital warned of "significant disruption". COVID-19 vaccination rollouts continued, but with the systems running them severely degraded.
Conti exfiltrated approximately 700 GB of data, including public-health information for thousands of people who had received a COVID-19 vaccine. The group demanded $19,999,000 in ransom. The HSE refused to pay. A few days later, Conti — facing global public outrage at attacking a healthcare system during the pandemic — released a free decryption tool. But it kept the stolen data and threatened to sell or publish it.
Ireland's High Court issued injunctions blocking publication of the stolen records. Recovery dragged for months and was projected to cost at least €100 million for IT change, partner support, and vendor work — with the broader impact (lost healthcare capacity, IT overhaul) substantially higher.
Impact
- All HSE IT systems shut down nationally; healthcare delivery degraded for weeks.
- ~700 GB of data exfiltrated, including COVID-19 vaccine PHI.
- HSE refused to pay the $19,999,000 ransom.
- Conti released a free decryptor under public pressure but retained stolen data.
- Recovery cost at least €100 million; later projected higher.
Why it matters
The HSE attack is the canonical reference for why national health services are uniquely exposed to ransomware: thin IT budgets, fragmented architectures, weak segmentation, life-and-death operational dependencies, and high media salience that creates leverage for the attacker. The Irish PWC post-incident review — published openly — has been studied by every major Western health service since.
Financial impact
Reported costs in USD
- Remediation$110.0M
Timeline
A user at an HSE site downloads a booby-trapped Microsoft Excel attachment from a phishing email; Conti operators establish initial access.
Conti detonates ransomware across HSE networks. The HSE shuts down all of Ireland's healthcare IT systems nationwide. Hospitals revert to paper-and-pen; appointments are cancelled across the country.
Conti releases a free decryptor for the HSE — apparently after the publicity of attacking a national health service became too damaging — but threatens to sell or publish the 700 GB of exfiltrated data unless $19.999M is paid.
HSE refuses to pay; Ireland's High Court issues injunctions blocking publication of the stolen data.
HSE Director General publicly estimates recovery costs could exceed €100 million; the broader cost (lost capacity, IT overhaul) is later projected at far more.
PWC's independent post-incident review identifies systemic underfunding of HSE cybersecurity, lack of MFA on critical accounts, and weak segmentation as enabling factors.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Health_Service_Executive_ransomware_attack
- krebsonsecurity.comhttps://krebsonsecurity.com/2021/12/inside-irelands-public-healthcare-ransomware-scare/
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/irish-healthcare-system-requires-more-than-100-million-to-recover-from-the-conti-ransomware-attack/
- hhs.govhttps://www.hhs.gov/sites/default/files/lessons-learned-hse-attack.pdf
- paubox.comhttps://www.paubox.com/blog/conti-ransomware-attack-irelands-healthcare-system-cost-100m