A major ransomware attack on the Irish health service last year could end up costing as much as €100m ($112m), according to a new report.
The Department of Health revealed the figure in response to a parliamentary question tabled by Peadar Tóibín, leader of the Aontú party, according to RTE.
Interim CIO for the Health Service Executive (HSE), Fran Thompson, revealed that around €12.7m has already been spent on IT infrastructure, €5.5m on cyber and strategic partner support, €15.3m on vendor support for applications and €8.4m on Microsoft 365.
That amounts to nearly €42m ($47m) so far, but the costs are expected to go much higher.
“The HSE forecasts that the overall cost could be in the region of €100m and further to this, the implementation of the recommendations of the PwC report into Conti will require a separate investment case which is being commissioned by the HSE,” the statement reportedly continued.
Ireland’s HSE, which is similar in some respects to the UK’s publicly funded National Health Service (NHS), provides health and social care services to everyone in the country.
However, it was struck by a major ransomware attack in early 2021. Although the Conti group initially demanded a $20m ransom, it later backed down after a public outcry and provided the decryption key for free.
However, the impact was still severe, taking the executive months to restore and decrypt all of its systems.
The PwC report highlighted numerous security failings at the HSE, such as AV software set only to “monitor” mode so it did not block malicious commands. Initial access was achieved in March, so the threat actors were effectively able to achieve persistence for eight weeks before they deployed the ransomware payload.
The mooted costs of the attack bring it close to the financial impact of WannaCry on the NHS. A report concluded the UK’s health service had paid £92m ($123m), mainly in IT overtime (£72m). Lost output accounted for the rest of the costs (£19m).