Conti ransomware attack on Irish healthcare system may cost over $100 million

Ireland has already spent more than $48 million to recover from a devastating ransomware attack.
Written by Jonathan Greig, Contributor

An Irish news outlet is reporting that the country's healthcare system will have to spend more than $48 million recovering from a widespread ransomware attack by the Conti group that took place last year.

In a letter obtained by RTÉ, Health Service Executive interim chief information officer Fran Thompson said the costs associated with the ransomware attack include $14.2 million for ICT infrastructure, $6.1 million to pay for outside cybersecurity assistance, $17.1 million for vendor support and $9.4 million for Office 365. 

The letter was sent to Aontú party leader Peadar Tóibín, and Thompson noted that they are projecting the end cost to be more than $100 million. That $100 million does not include the costs associated with implementing the recommendations passed down in the detailed PWC report on the attack. 

Conti attacked Ireland's Health Service Executive in May 2021, causing weeks of disruption at the country's hospitals. The country refused to pay the $20 million ransom.

According to RTÉ and the BBC, dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down, and the country spent weeks trying to bring its healthcare IT system back online. The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams went through all 2,000 different IT systems one by one. 

Irish Foreign Minister Simon Coveney called it a "very serious attack" while Irish Minister of State Ossian Smyth said it was "possibly the most significant cybercrime attack on the Irish State."  

Emergency services still operated, but many radiology appointments were canceled, according to a government statement. There were delays in COVID-19 test result reporting as well as delays with issuing birth, death, or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals were all affected by the attack, according to The Journal

Dublin's Rotunda Hospital, The National Maternity Hospital, St Columcille's Hospital, Children's Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group all reported varying levels of IT outages. 

Health Minister Stephen Donnelly added that the HSE payment system was downed by the attack. The 146,000 people working in the healthcare industry faced issues with full payment

Ransomware experts said that while the numbers seem large, ransomware recovery is an incredibly complex process. Emsisoft threat analyst Brett Callow said recovery costs can be extraordinarily high, as evidenced by the situation facing Scripps Health.

"After a ransomware attack in May 2021, Scripps Health estimated its losses for Q3 of that year to be $112.7 million. It should be noted that some of the costs associated with incidents are effectively catch-up spending as organizations address whatever weaknesses enabled the attack to succeed," Callow said. 

"In other words, they pay off their security debt. Additionally, the costs do not necessarily end with the remediation of the incident. Lost trust, lost opportunities, and class actions can all have an ongoing impact."

Recorded Future ransomware expert Allan Liska noted that major municipalities in the US have similarly had to spend millions recovering from ransomware attacks. Baltimore, Buffalo, Atlanta, and other cities have had to spend millions on ransomware recovery. 

While the numbers seen in Ireland are high, Liska said it accurately reflects how devastating and thorough the attack was on HSE. It also showed that HSE is serious about not only recovering, but improving their security going forward.

"That 100 million number likely reflects not just the recovery but implementing new security protocols adding new capabilities and erasing what is likely years of technical debt that had been accumulating. Most organizations don't do that during a recovery, they do some of it. You almost have to, but they can't afford to implement everything they need to fully protect their organizations," Liska said. 

"I think people are amazed at how much recovering from a ransomware attack can really cost. When Baltimore was hit with a ransomware attack recovery costs were estimated at $18 million. Atlanta spent $17 million to recover. Ransomware recovery is expensive, we (the public) just don't see the true costs most of the time."

Editorial standards