Anatomy of a Breach

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

> series: anatomy_of_a_breach —— part: 150 —— targets: irish_hse + jbs —— sectors: healthcare + food_supply —— ransomware: conti + revil<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2021 15 min read
ransomware irish-hse jbs conti revil healthcare food-supply critical-infrastructure series
Breach #150

Healthcare and food supply. Both hit by ransomware. In the same month.

On 14 May 2021, Conti ransomware devastated Ireland's Health Service Executive (HSE) — the publicly funded healthcare system serving 5 million people. The attack encrypted systems across Ireland's hospitals and healthcare facilities, forcing cancellation of thousands of outpatient appointments, reverting hospitals to paper records, delaying cancer treatments, disabling diagnostic imaging systems, and disrupting COVID-19 vaccination appointments. The HSE refused to pay the ransom. Full recovery took over four months and cost an estimated €100 million.

Sixteen days later, on 30 May, REvil ransomware struck JBS — the world's largest meat processing company, responsible for approximately 20% of US beef slaughtering capacity. The attack forced closure of processing plants in the US, Canada, and Australia, triggering fears of food supply disruption and price increases. JBS paid $11 million in ransom to prevent further disruption. Two essential services — healthcare and food — both crippled by ransomware within two weeks, by two different ransomware-as-a-service (RaaS) operations. The ransomware epidemic against critical infrastructure had reached crisis proportions.

Healthcare Devastated — Again
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Ireland's NHS equivalent. Cancer treatments delayed. COVID vaccines disrupted.

The Irish HSE attack was the most severe ransomware incident to strike a national healthcare system since WannaCry hit the NHS in 2017 — and in many ways was worse, because it was targeted and deliberate rather than a worm spreading indiscriminately. The Conti operators specifically targeted the HSE and demanded a $20 million ransom. The Irish government refused to pay. The recovery, which took over four months, required rebuilding IT infrastructure across the entire health service.

Lessons for the UK NHS
The Irish HSE operates a similar model to the UK NHS — publicly funded, serving the entire population, with similar IT infrastructure challenges. The HSE attack is the closest parallel to a WannaCry-scale event affecting the NHS. For UK <a href="/blog/sector-under-the-microscope-healthcare">healthcare organisations</a>, the HSE case reinforces that ransomware resilience is patient safety. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> provides 24/7 monitoring.
Food Supply Under Threat
JBS processing 20% of US beef capacity — its shutdown caused immediate supply chain concerns and price fluctuations. For UK <a href="/blog/sector-under-the-microscope-manufacturing">food manufacturers</a> and supply chain operators, the JBS attack demonstrated that ransomware can threaten food security.
$11 Million Paid by JBS
JBS paid $11 million — one of the largest confirmed ransomware payments. The payment funded further REvil operations, which would culminate in the <a href="/blog/anatomy-of-a-breach-kaseya-vsa">Kaseya VSA attack</a> one month later. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response including ransom decision guidance.
€100 Million HSE Recovery
The HSE's refusal to pay and subsequent €100 million recovery — while principled — demonstrated the extreme cost of ransomware recovery for large, complex organisations. Prevention through <a href="/cyber-essentials">Cyber Essentials</a>, <a href="/penetration-testing">penetration testing</a>, and <a href="https://www.socinabox.co.uk">continuous monitoring</a> costs a fraction of the recovery bill.
The Ransomware Crisis

Healthcare. Food. Fuel. All hit within weeks. This is a national security crisis.

Colonial Pipeline (fuel), the Irish HSE (healthcare), and JBS (food) — three critical infrastructure sectors hit by ransomware within three weeks of each other. The concentration of attacks against essential services in May-June 2021 demonstrated that the ransomware threat had escalated from a business risk to a national security crisis. For UK organisations operating in any critical sector, the controls are the same ones this series has advocated for thirteen years: Cyber Essentials, penetration testing, SOC in a Box, and incident response capability.

Critical Sector Defence

Fuel. Healthcare. Food. All hit by ransomware in the same month. Is your critical service defended?

<a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="/penetration-testing">Penetration testing</a> validates controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors 24/7. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Security Assessment Next: Kaseya VSA
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 October 2022

Anatomy of a Breach: Medibank — 9.7 Million Australians' Health Data Published After Ransom Refused

Breach #166. In October 2022, Australian health insurer Medibank disclosed that attackers had stolen the personal and health data of 9.7 million current and former customers — approximately 40% of Australia's population. When Medibank refused to pay the ransom, the attackers — linked to the Russian REvil group — published sensitive health claims data on the dark web, including records related to mental health treatment, drug and alcohol rehabilitation, pregnancy terminations, and HIV status. The publication of intimate health data as punishment for non-payment represented the darkest evolution of the double-extortion ransomware model.

data-breach medibank
14 min read
Anatomy of a Breach 31 May 2022

Anatomy of a Breach: Costa Rica — Conti Ransomware Forces a National Emergency Declaration

Breach #161. In April-May 2022, Conti ransomware devastated Costa Rica's government systems across 27 institutions, forcing newly inaugurated President Rodrigo Chaves to declare a national emergency — the first time a country had declared a state of emergency in response to a cyber attack. The Finance Ministry's tax and customs systems were crippled, disrupting international trade. The Social Security system was attacked separately by the HIVE ransomware group. Conti demanded $10 million, later doubled to $20 million. Costa Rica refused to pay. The attack demonstrated that ransomware can threaten the functioning of an entire nation-state.

ransomware costa-rica
13 min read
All Posts Get in Touch