Conti Ransomware Crippled Ireland’s Health Service and Exposed Stolen Data
Ireland’s Health Service Executive (HSE) was hit by a major Conti ransomware attack that forced the shutdown of national health IT systems, disrupted hospital clinics, maternity services, radiology, GP referrals, and parts of Covid-19 testing and contact tracing, while emergency care and the vaccination programme continued. Irish officials said the attack began early on a Friday morning, described it as one of the most serious cybercrime incidents ever faced by the state, and confirmed the government would not pay a bitcoin ransom. Investigators also examined related hostile activity, including an attempted intrusion at the Department of Health and earlier distributed denial-of-service activity, while Gardaí, the National Cyber Security Centre, Defence Forces, Europol, and outside cybersecurity experts joined the response.
The attackers were reported to have demanded about $20 million and claimed to have stolen roughly 700 GB of data, raising fears that patient and employee information could be leaked on dark-web extortion sites. Recovery was expected to take weeks as the HSE rebuilt systems and shifted many services to manual processes, while the health service sought court injunctions to restrain the sharing of hacked data. The financial fallout later climbed to about $600 million, and the long tail of the breach continued years later, with the HSE offering compensation to some victims affected by the system-wide cyberattack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
HSE offers €750 to victims of the cyberattack
In December 2025, the HSE offered €750 to people affected by the system-wide cyberattack. This indicates a later compensation step tied to the long-term consequences of the 2021 incident.
Estimated cost of HSE ransomware attack reaches $600 million
By late June 2021, reporting said the costs associated with the ransomware attack on Ireland's health system had reached about $600 million. The figure reflected the extensive recovery effort and the broad operational and financial impact of the incident.
HSE obtains court injunctions against sharing stolen data
On 2021-05-20, the HSE secured High Court injunctions restraining the sharing, processing, or sale of data taken in the attack. The legal move aimed to limit further dissemination of hacked information if it appeared online or was traded by third parties.
Government says HSE recovery will take several weeks
On 2021-05-19, Irish officials said restoring the HSE's IT environment would take several weeks. The statement underscored the scale of operational damage and the prolonged impact on healthcare services.
Authorities monitor dark web for leaked HSE data
By 2021-05-18, Irish authorities were monitoring dark web leak sites for any publication of data stolen from the HSE. This reflected growing concern that sensitive health and employee information might be exposed publicly.
Attackers reportedly demand $20 million and claim data theft
Reports published on 2021-05-15 said the attackers were demanding about $20 million and claimed to have spent two weeks in the HSE network. They also alleged they had stolen roughly 700 GB of unencrypted data, including patient, employee, financial, and payroll information.
Officials identify Conti and assess broader targeting
By 2021-05-15, investigators were profiling the malware as Conti ransomware and described the incident as a targeted attack by a serious international criminal group. Authorities also examined a related attempted attack on the Department of Health and prepared checks for other State agencies in case the intrusion had spread.
Irish government says it will not pay the ransom
On the day of the attack, Irish officials said a bitcoin ransom demand had been received or reported but that the State would not pay. Authorities including the HSE, National Cyber Security Centre, Gardaí, Defence Forces, and outside experts began incident response and recovery efforts.
Ransomware attack hits Ireland's HSE and forces IT shutdown
Around 4:30 a.m. on 2021-05-14, Ireland's Health Service Executive suffered a major ransomware attack that led it to shut down national IT systems as a precaution. The disruption affected hospital clinics, imaging, referrals, and some Covid-19 services, while emergency care and vaccinations continued.
PwC traces HSE breach to phishing email opened on patient-zero workstation
A PwC investigation found the HSE intrusion began on 2021-03-16 when a user opened a malicious Microsoft Excel attachment from a phishing email on the patient-zero workstation. The report said the attackers likely later exploited an unpatched known vulnerability to reach Active Directory before deploying Conti ransomware.
Sources
12 references tracked. Mallory keeps watching after this page renders.
HSE offers €750 to victims of system-wide cyberattack - The Irish Times
irishtimes.com
Open sourceIreland Conti ransomware attack vector was spam email
theregister.com
Open sourceCosts from ransomware attack against Ireland health system reach $600M | news | SC Media
scworld.com
Open sourceHSE secures injunctions restraining sharing of hacked data - The Irish Times
irishtimes.com
Open sourceIreland's Health Services hit with $20 million ransomware demand
bleepingcomputer.com
Open sourceScumbag ransomware attackers hit Irish Health Service • Graham Cluley
grahamcluley.com
Open sourceBitcoin ransom will not be paid following cyber attack on HSE computer systems - The Irish Times
irishtimes.com
Open sourceBitcoin ransom will not be paid following cyber attack on HSE computer systems - The Irish Times
irishtimes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Irish Health Service Offers Compensation to Victims of 2021 Ransomware Attack
The Irish Health Service Executive (HSE) has begun offering €750 in compensation to individuals whose personal data was compromised during the major ransomware attack in May 2021. The attack, attributed to the Russia-linked Conti ransomware group, forced the HSE to shut down its IT infrastructure, severely disrupting hospital operations and leading to the exposure of sensitive patient information online. Legal representatives for over 100 affected individuals have confirmed receipt of the compensation offer, which also includes €650 to cover legal costs. This marks the first public acknowledgment by the HSE of the need to compensate victims, with approximately 620 legal proceedings currently underway and nearly 91,000 individuals notified of the breach. Investigations into the incident revealed that the HSE's IT systems were outdated and lacked adequate cybersecurity measures, contributing to the scale of the breach. Since the attack, the HSE has reportedly invested in strengthening its cyber defense capabilities. The compensation offer is intended as a "full and final settlement" for those pursuing legal action, and payments are expected to be processed within 28 days of acceptance. The incident remains the largest cyberattack on a health service computer system in Ireland's history, highlighting the critical need for robust cybersecurity in healthcare organizations.
Mar 21, 2026
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026
Ransomware Attacks Disrupt Hospitals From Los Angeles to Romania and the NHS
Ransomware attacks have repeatedly crippled hospital operations, forcing providers to divert care, lose access to critical systems, and in some cases pay attackers to recover. At Hollywood Presbyterian Medical Center in Los Angeles, malware encrypted files and disrupted the hospital's computer network, prompting executives to pay about **$17,000 in bitcoin** after attackers reportedly reduced an initial demand of **$3.4 million**. The outage interfered with administrative functions and highlighted how cyberattacks on healthcare can create direct patient-safety risks. The threat later scaled across national healthcare systems. The **WannaCry** outbreak spread to nearly 100 countries and severely impacted the UK's **NHS**, knocking hospitals and clinics offline and disrupting appointments and treatment. In Romania, a ransomware attack on a healthcare IT platform left multiple hospitals offline, underscoring how attacks on shared digital infrastructure can cascade across many facilities at once and paralyze care delivery well beyond a single organization.
May 25, 2026