The Day Ireland’s Health Service Went Dark

How a single email brought a nation’s hospitals to their knees

“It was worse than Covid.” — Dr. David Gallagher, oncologist

Prologue: 4:00 AM, Friday, 14 May 2021

Ireland is asleep.

In hospitals across the country, night shift nurses are doing their rounds. Monitors blink softly. Somewhere in Dublin, a newborn takes her first breath. In Cork, a cancer patient drifts in and out of medicated sleep. In a ward in Limerick, an elderly man waits for his morning blood results.

Then, silently, something changes.

Across every hospital in the country, simultaneously, computer screens flicker and go dark. Not one or two. All of them. Every workstation, every server, every connected device in Ireland’s entire public health network.

The Health Service Executive — the HSE, the organisation responsible for healthcare for five million people — has just been hit by one of the most devastating ransomware attacks ever launched against a health service anywhere in the world.

And it had been coming for two months.

Part One: The Invisible Invasion

16 March 2021 — The Poisoned Email

It started, as so many catastrophes do, with something unremarkable.

On 16 March 2021, a phishing email arrived in an HSE inbox. It looked like any other email, the kind that passes through a busy hospital network a thousand times a day. Attached to it was a Microsoft Excel spreadsheet.

Two days later, on 18 March, someone opened it.

That click, one moment, one human mistake, was all it took. Hidden inside the spreadsheet was malware that quietly downloaded itself onto the workstation. The computer’s antivirus software actually detected it. It flagged the threat and logged it. But the system was set to “monitor” mode, not “block” mode. So it watched, recorded, and did nothing.

The hackers were in.

The Ghost in the Machine

For the next eight weeks, nobody knew they were there.

The attackers moved slowly, deliberately, and almost invisibly. They used a tool called Cobalt Strike, a piece of legitimate penetration testing software that cybercriminals had repurposed as a weapon. Think of it as a master key that lets you wander through a building unseen, opening doors, learning the layout, copying files, all without triggering the alarm.

They explored the HSE network methodically. They identified servers. They mapped the system’s architecture. They located backup systems and data repositories. They found where the most sensitive patient records were stored. And they exfiltrated, quietly copied, over 700 gigabytes of data: patient records, addresses, phone numbers, medical histories, staff payroll information, employment contracts.

They also used another tool called Mimikatz, a well-known piece of software that can steal login credentials directly from a computer’s memory, effectively harvesting the passwords of HSE administrators, giving the attackers ever-greater access to ever-more-sensitive systems.

In early May, alarms did begin to sound, quietly. The HSE’s cybersecurity provider flagged 16 separate threat events between 7 and 13 May. Hospital IT staff noticed strange activity on servers at two hospitals. But the alerts were assessed as low risk. Investigations were not formally launched. The dots were not connected.

On the night of 13 May, the security team flagged that servers needed to be restarted. It was noted. Not acted on in time.

At 1:00 AM on 14 May, the attackers executed their payload. The Conti ransomware detonated across the entire HSE network simultaneously.

By 4:00 AM, Ireland woke up to darkness.

Part Two: The Reckoning

Friday Morning — The Screens Go Dark

Staff arriving for the morning shift at hospitals across Ireland found a sight that stopped them cold: notes taped to every computer screen reading “DO NOT turn on or restart this device.”

Entire hospitals had lost access to everything. Patient records — gone. Blood test results — inaccessible. Radiology systems — offline. Appointment schedules — wiped. The email system — down. Even internal phone systems were disrupted.

Doctors reached for paper. Nurses pulled out pens. And the weight of what that meant began to sink in.

At the Rotunda Hospital in Dublin — Ireland’s oldest maternity hospital, all outpatient appointments were cancelled. The National Maternity Hospital followed. Cancer centres across the country suspended radiation therapy. At Cork University Hospital, the radiology department was described as “catastrophically” affected: all outpatient scans cancelled, digital imaging stores unavailable, historical imaging inaccessible.

Radiation therapy stopped at five cancer treatment centres. In the four weeks following the attack, referrals to cancer clinical trials units fell by 85%.

One doctor, speaking anonymously, described what it was like at the sharp end: “I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance. After all this I have to say sorry, I can’t see you… If I reschedule a patient and they come back a few weeks or a few months later with a tumour I couldn’t assess from the paperwork…”

He stopped. He didn’t need to finish the thought.

Lab results had to be printed and hand-delivered between wards. Blood testing was rationed to urgent cases only. Doctors treating cancer patients couldn’t access previous scans, meaning they couldn’t tell whether a tumour had grown. Referrals had to be made by phone or post. And the COVID-19 contact tracing system, still critical during the pandemic1 went down, requiring close contacts to attend walk-in sites instead of booked appointments.

Ireland’s public health service, already stretched by a global pandemic, was running on pen, paper, and memory.

The Ransom Note

Left behind on the HSE’s systems was a digital ransom demand, a message from the attackers identifying themselves and laying out their terms. They wanted $19,999,000 in cryptocurrency, paid in exchange for a decryption key to unlock every encrypted file.

There were also links to a dark web chat room, and, as proof of what they held, samples of stolen patient data, including the records of a man receiving end-of-life care.

The Irish Government’s response was immediate and unambiguous: Ireland would not pay.

Small spider wearing wizard hat and cloak holding glowing staff on parchment with code

Part Three: Behind the Curtain

Who Did This?

Within days, investigators had a name: Wizard Spider.

The group, believed to be based in and around St. Petersburg, Russia, is widely regarded as one of the most sophisticated cybercriminal organisations in the world. Consisting of an estimated 80 members (some of whom reportedly didn’t even know they were working for a criminal operation), the gang runs like a professional business, employing skilled programmers and hackers on rotating part-time contracts to make it harder for law enforcement to track them.

Wizard Spider has been on the radar of the FBI, the UK National Crime Agency, Europol, and Interpol for years. The group had previously used ransomware called Ryuk, the same strain that had attacked hospitals in the US and France, before switching to the more powerful Conti variant.

What makes Wizard Spider particularly unsettling is not just their technical capability. It’s their structure. They sit at the centre of what analysts have described as the world’s first ransomware cartel, a coalition of five Russian-speaking cybercrime gangs who share infrastructure, tools, and intelligence, and divide the proceeds of attacks. They operate Conti as a Ransomware-as-a-Service (RaaS) platform, effectively licensing their malware to other criminal groups in exchange for a cut of any ransom received.

They also, uniquely among such gangs, appear to possess espionage-grade malware, software designed not to steal money, but to capture information quietly. This has led many analysts to ask uncomfortable questions about the true nature of the group’s relationship with the Russian state.

Motive: Was This Targeted?

The short answer is: probably not, at least not in the way you might imagine.

Wizard Spider’s model is what the security industry calls “big game hunting”: identifying large, well-funded organisations — governments, hospitals, corporations — and deploying ransomware against them in the expectation of a significant payout. The Irish Government is publicly funded. The hackers presumably calculated it could and would pay.

There is no credible evidence that the attack was politically motivated or that the HSE was chosen for any reason other than the fact that it was a large, well-connected, and, as it turned out, poorly defended target.

Critically, the attackers’ own malware contained a safeguard: it was programmed to automatically uninstall itself if it detected a Russian-language operating system or an IP address registered in a former Soviet state. Whatever else Wizard Spider was, they were careful not to bite the hand that tolerated them.

The Irish Minister of State for eGovernment, Ossian Smyth, was direct in his assessment: this was not espionage. This was crime. “This is a very, very sophisticated criminal enterprise.”

The Decryption Key — A Twist Nobody Expected

Then something strange happened.

On 20 May, just six days after the attack, and without any ransom being paid, Wizard Spider provided the HSE with a decryption key free of charge.

Nobody fully understood why. Some analysts suggested the group realised Ireland had no intention of paying and that the global media attention was becoming damaging. Others suggested it was a calculated PR move, a rare moment of apparent mercy from a criminal gang to reduce the heat from international law enforcement. Cybersecurity consultant Brian Honan offered a bleaker interpretation: “This is like somebody mugs you, steals your money, beats you up and then comes back with your empty wallet. It’s an empty gesture. The damage has already been immeasurable.”

And indeed, the key, when tested, was found to be highly flawed and riddled with bugs. The HSE’s own IT teams and Irish Defence Forces personnel had to work to debug and adapt it. Recovery continued for months.

September 21, 2021 — more than four months after the attack — was the day the last HSE server was finally decrypted.

Part Four: How It Worked — The Technical Picture

You don’t need to be a cybersecurity expert to understand how this happened. Here’s the plain-English version.

The Attack Vector: A Single Email

The initial entry point was a phishing email, a fraudulent message designed to trick the recipient into opening a malicious attachment. This is, by far, the most common method criminals use to break into organisations. In a workforce of 130,000 people across 4,000 locations, it only needed to work once.

The Malware: A Two-Stage Weapon

Once the attachment was opened, the attackers deployed their tools in stages:

Stage 1 — Cobalt Strike: A legitimate penetration testing tool (sold commercially to cybersecurity professionals) that was repurposed as a remote access weapon. It gave the attackers persistent, invisible access to the infected machine and allowed them to move “laterally”, that is, to spread from one system to others on the same network, quietly exploring and escalating their access privileges.

Stage 2 — Mimikatz: A tool that extracts passwords and login credentials from a computer’s active memory, allowing the attackers to impersonate administrators and unlock sensitive systems without needing to guess or crack passwords.

Stage 3 — Conti Ransomware: The final payload. Conti is what’s known as “double-extortion” ransomware, it doesn’t just encrypt files (locking you out of your own data), it also steals a copy of everything first. This means the attackers can demand two ransoms: one to restore your access, and another to prevent them from publishing your data publicly.

Conti was also notable for being able to encrypt data faster than almost any previous ransomware variant, and for identifying whether files were stored locally or shared across a network, allowing it to spread further and faster.

The Vulnerability: Not a Technical Flaw, But a Human One

Perhaps the most sobering finding of the independent post-incident review, conducted by PricewaterhouseCoopers, was this: there was no exotic zero-day vulnerability at the heart of this attack. No sophisticated technical flaw that nobody could have anticipated. The HSE was not defeated by the brilliance of the attackers.

It was defeated by the accumulation of years of underinvestment, fragmented systems, and missed warnings.

The antivirus was in monitor mode, not block mode. Monitoring only happened during business hours. The network ran tens of thousands of outdated Windows 7 machines, an operating system Microsoft had stopped supporting in 2019. There was no formal incident response plan. Multiple alarms were raised in the days before the attack; none triggered a full investigation. Ireland’s National Cyber Security Centre, responsible for the state’s cybersecurity, had just 25 staff, a €5 million annual budget, no dedicated premises, and a vacant Director position that had gone unfilled for a year because the advertised salary of €89,000 was too low to attract qualified candidates.

The attack succeeded not because of what the hackers did. It succeeded because of what the defenders didn’t do.

Part Five: The Aftermath

The Human Cost

90,000 people ultimately received letters informing them their data had been compromised. On 28 May, two weeks after the attack, confidential medical records for 520 patients were confirmed to have been published online, including the records of patients receiving cancer treatment and end-of-life care.

Tens of thousands of appointments were cancelled or delayed. Waiting lists grew. Cancer diagnoses were missed or postponed. Radiation therapy was suspended. Laboratory results that would normally take hours to process took days. Maternity services were severely disrupted. Tusla, the Child and Family Agency, with around 20,000 open cases including children in care, was also affected.

The full human cost, in terms of outcomes for patients whose care was delayed, will take years to fully understand. Researchers at RUSI (the Royal United Services Institute) have noted that for cancer patients in particular, the delays introduced by such attacks can have permanent consequences.

By December 2025, the HSE was offering €750 in compensation to affected patients, described by legal representatives as a significant, if belated, acknowledgement of harm.

The Financial Cost

The Irish Government’s initial estimate for recovery costs was $120 million. By June 2021, HSE Director General Paul Reid revised that estimate upward, to a projected $600 million, accounting for system rebuilding, new infrastructure, security upgrades, and long-term remediation.

By September 2022, the Comptroller and Auditor General confirmed the attack had already cost the HSE close to €100 million, with further costs expected. The bill did not stop there. Over 473 legal actions had been taken against the HSE by May 2024, with 12 personal injury cases before the courts relating to the psychological impact of the attack.

No ransom was ever paid.

Part Six: Lessons Learned

The PricewaterhouseCoopers post-incident review, 150 pages of unusually candid self-examination, laid out the key failures clearly. Its findings apply far beyond Ireland.

For Organisations

Assume you will be attacked. The question for any large organisation is not “will we be targeted?” but “are we ready when we are?” The HSE’s cybersecurity was built on the assumption that a major attack was unlikely. That assumption was wrong.

Patch your systems. Tens of thousands of Windows 7 machines, a system that had been end-of-life for two years, were running across HSE infrastructure. Legacy systems are open doors. They must be upgraded or isolated.

Don’t set your antivirus to “monitor” mode. This seems obvious in hindsight. But it reflects a broader culture in which cybersecurity was seen as a cost centre, not a critical function. Endpoint protection tools must be configured to block, not just observe.

Invest in 24/7 monitoring. Before the attack, the HSE’s antivirus monitoring ran only during business hours, 8am to 6pm. Attackers don’t keep office hours. The ransomware was detonated at 1am.

Have an incident response plan and test it. Most HSE hospitals had no Business Continuity Plan for a major IT outage. When the attack hit, staff improvised. Many did so brilliantly. But improvisation is not a strategy.

Multi-factor authentication (MFA) everywhere. Requiring a second form of verification for logins, a code sent to your phone, for example, would have significantly slowed the lateral movement of the attackers through the HSE network, even after they had stolen passwords via Mimikatz.

Immutable, offline backups. The HSE’s backup infrastructure was only periodically backed up to offline tape. Had a decryption key not been provided, the amount of permanently unrecoverable data could have been catastrophic. Backups must be regular, tested, and air-gapped from the main network.

Treat cybersecurity as a board-level issue. Cybersecurity cannot be delegated to an IT department with an inadequate budget. It requires executive ownership, sustained investment, and regular external audit.

For Individuals

Be suspicious of attachments. If an email arrives unexpectedly, even from what appears to be a known sender and asks you to open a file, pause before clicking. Verify the sender through a different channel. When in doubt, don’t open it.

Report anything unusual. The HSE’s own systems flagged suspicious activity multiple times before the attack. Those flags were not escalated. In any organisation, a culture where staff feel empowered to report anomalies and where those reports are taken seriously is a first line of defence.

Use strong, unique passwords and enable MFA on every account. Password reuse is one of the most exploited vulnerabilities in cybercrime. A password manager and multi-factor authentication on personal and work accounts significantly reduces exposure.

Keep your own devices updated. The same principle that applied to HSE’s outdated systems applies to your personal laptop and phone. Software updates frequently contain critical security patches. Don’t ignore them.

Part Seven: The Bigger Picture

A Warning to Healthcare Globally

The HSE attack did not happen in isolation. It was part of a broader, accelerating global trend.

Between 2016 and 2021, ransomware attacks on healthcare organisations more than doubled. Nearly 42 million patients had their personal health data exposed in that period. What Ireland experienced in May 2021 has since been replicated, in different forms, at different scales, against NHS trusts in the UK, hospital networks in the United States, health systems in France, Germany, and Australia.

Healthcare is uniquely vulnerable. It holds vast quantities of sensitive data. It relies on continuous access to information, a disruption that would be inconvenient in a law firm and is potentially lethal in a hospital. And it has, historically, been chronically underfunded in its digital defences.

The attackers know this. They calculated it.

The Future Threat: What Comes Next

The HSE attack, as destructive as it was, represented a relatively “standard” ransomware operation, criminal in motive, opportunistic in targeting. The tools used (Cobalt Strike, Mimikatz, Conti) were not bespoke creations. They were off-the-shelf weapons deployed by professional criminals pursuing financial gain.

The next phase of this threat may be considerably darker.

As critical national infrastructure, power grids, water treatment, transport networks, and health systems, becomes increasingly digitalised and interconnected, the attack surface grows. What was once a financial crime becomes, in the wrong hands and with the wrong intent, an act of war.

The PwC report itself noted how much worse the HSE attack could have been: if the attackers had specifically targeted medical devices; if the ransomware had been designed to permanently destroy data rather than encrypt it; if the malware had spread autonomously across trust boundaries into connected devices like infusion pumps and MRI machines.

None of those things happened. This time.

Geopolitical tensions of the kind that have intensified since the Russian invasion of Ukraine in 2022, increase the risk that state-aligned actors will use exactly these tools not for financial gain, but for disruption, fear, and strategic damage. Wizard Spider itself fractured in 2022, partly over internal disagreements about the Ukraine war. Its members and tools did not disappear. They dispersed into other groups, other operations, other campaigns.

The infrastructure of criminal ransomware and state-sponsored cyberattack is converging. The line between organised crime and geopolitical weapon is increasingly difficult to draw.

A hospital that goes dark for four months because of criminal greed is a catastrophe. A hospital network that goes dark because of deliberate state action during a military conflict is something else entirely.

Conclusion: The Unlocked Door

On 16 March 2021, someone in an Irish health service office opened an email. They were one of 130,000 employees. They were doing their job. They had no reason to suspect that the spreadsheet in their inbox was not what it appeared to be.

What followed was not inevitable. At almost every stage, when the antivirus first detected the malware and logged it without acting; when the suspicious activity was noted at two hospital servers and assessed as low risk; when 16 threat events were flagged in a single week without triggering a full investigation, there were moments when a different decision could have changed the outcome.

The attackers were skilled, patient, and professional. But they were not invincible. They succeeded because the door was unlocked, the lights were off, and nobody was watching.

The real lesson of the HSE attack is not technical. It is cultural. Cybersecurity is not a product you buy. It is a practice you sustain. It requires investment, attention, and the understanding, at every level of an organisation, from the board room to the front desk, that in a connected world, digital resilience is not optional.

Five million people depended on Ireland’s health service. Their records, their diagnoses, their treatments, all of it was held in systems that were being protected with the bare minimum.

The most significant cyberattack ever launched against a health service didn’t require a genius. It required an open email, an unblocked antivirus, and an organisation that hadn’t yet understood what it meant to be a target.

Medical staff in hospital urgently responding to critical cybersecurity failure alerts on computer screens

Sources & Further Reading

Primary Sources

PricewaterhouseCoopers (2021) — Conti Cyber Attack on the HSE: Full Independent Post Incident Review — The definitive 150-page post-mortem. Available at: hse.ie
HSE Ireland — Cyber Attack and HSE Response — The HSE’s own account of what happened and how it responded: hse.ie
US Department of Health and Human Services (HHS), Health Sector Cybersecurity Coordination Center (HC3) — Lessons Learned from the HSE Attack (2022): hhs.gov

News & Analysis

Brian Krebs, KrebsOnSecurity — “Inside Ireland’s Public Healthcare Ransomware Scare” (December 2021) — One of the best English-language analyses of the PwC report.
RTÉ News — “The Anatomy of the Health Service Cyber Attack” by Paul Reynolds (May 2021) — Early, detailed Irish coverage.
RTÉ News — “‘Wizard Spider’: Who Are They and How Do They Operate?” (May 2021)
The Irish Times — “Wizard Spider Profile: Suspected Gang Behind HSE Attack is Part of World’s First Cyber-Cartel” (May 2021)
ABC News — “10 Days After Ransomware Attack, Irish Health System Struggling” (May 2021)
Clark Hill PLC — “The HSE Cyberattack: Lessons Learned” (2022)

Medical & Clinical Impact

Journal of Clinical Oncology — “Impact of Conti Ransomware Attack on Cancer Trials Ireland Sites” (2022)
Journal of Clinical Oncology — “The Impact of a Ransomware Cyber Attack on a Breast Cancer Center” (2022)
Malwarebytes Labs — “A Doctor Reveals the Human Cost of the HSE Ransomware Attack” (2021)

Broader Context

RUSI (Royal United Services Institute) — “Ransomware: A Life and Death Form of Cybercrime”
JAMA Network — “Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016–2021”
NATO Cooperative Cyber Defence Centre of Excellence — Ireland’s Health Service Executive Ransomware Attack (2021): International Cyber Law Toolkit

Chronicles of Compromise documents the cyber attacks that shaped our digital world — one story at a time. If you found this piece valuable, share it with someone who should read it.