The Health Service Executive has said that it is likely that information relating to up to 20 people involved in recruitment processes has been accessed in a cyber attack involving external service provider EY.
The HSE said it became aware yesterday evening that EY was alerted to a cyber attack on the technology product MoveIT which it was using to support work on a project to automate part of the HSE's recruitment process.
"This attack was criminal in nature and international in scale," the HSE said in a statement.
The data involved includes names, addresses, mobile numbers, place on the recruitment panel and more general information on the posts being recruited.
"Importantly no other personal identification data or financial data is included," the HSE said.
It added that no patient data was involved, the attack was not on the HSE’s IT system, there is no evidence as of yet of the data appearing on the dark web and the exposure for the HSE appears to be quite small.
"I have reviewed this incident with senior officials this morning," HSE CEO Bernard Gloster said.
"Any breach is regrettable but unfortunately a feature of international criminal activity in recent years," Mr Gloster added.
The HSE said it is in contact with relevant authorities, including the Data Protection Commission, and added that contact will be made shortly with the individuals whose data was accessed.
The HSE was targeted by a major ransomware attack in May 2021 which caused widespread disruption and saw information held on computer systems illegally accessed and copied.
In September last year, a report from the State's spending watchdog, the Comptroller and Auditor General outlined that the HSE will need to spend almost €657m over seven years to implement cyber security improvements following the breach.
