HSE Halts Plastic Medical Card Issuance Following Third-Party Cyber-Attack
The Health Service Executive (HSE) has temporarily suspended the production of plastic medical cards, European Health Insurance Cards (EHIC), GP visit cards, drugs payment scheme cards, and long-term illness cards after a cyber-attack targeted an external card-printing provider. While the HSE’s own systems remained uncompromised, a limited number of records were accessed during the incident.
The HSE confirmed the breach to Ireland’s Data Protection Commissioner and is collaborating with the affected provider to assess the scope of the exposed data. A decision on notifying impacted individuals is pending further review.
To minimize disruption, applicants will receive letters confirming their eligibility for schemes, which can serve as proof of entitlement. For EHIC cards, provisional replacement certificates are being issued, while digital versions for adults remain available via the HSE Health App. The HSE emphasized that healthcare access remains unaffected, as service providers including GPs and pharmacies verify eligibility through digital channels.
The HSE activated its cybersecurity protocols immediately upon notification by the external provider, reaffirming its commitment to handling data breaches in line with legal and internal policies. The incident was first reported by RTÉ Raidió na Gaeltachta.
Source: https://www.rte.ie/news/ireland/2026/0710/1582708-hse-data-breach/
External card-printing provider TPRM report: https://www.rankiteo.com/company/plastic-card-systems
"id": "pla1783680438",
"linkid": "plastic-card-systems",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Healthcare',
'location': 'Ireland',
'name': 'Health Service Executive (HSE)',
'type': 'Government Healthcare Service'},
{'industry': 'Printing/Manufacturing',
'name': 'External card-printing provider',
'type': 'Third-Party Vendor'}],
'attack_vector': 'Third-Party Compromise',
'customer_advisories': 'Applicants to receive letters as proof of '
'entitlement; digital EHIC cards available via HSE '
'Health App',
'data_breach': {'number_of_records_exposed': 'Limited number',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable information '
'(PII) related to healthcare '
'eligibility',
'type_of_data_compromised': 'Medical card applicant records, '
'eligibility data'},
'description': 'The Health Service Executive (HSE) has temporarily suspended '
'the production of plastic medical cards, European Health '
'Insurance Cards (EHIC), GP visit cards, drugs payment scheme '
'cards, and long-term illness cards after a cyber-attack '
'targeted an external card-printing provider. While the HSE’s '
'own systems remained uncompromised, a limited number of '
'records were accessed during the incident.',
'impact': {'data_compromised': 'Limited number of records accessed',
'downtime': 'Temporary suspension of plastic medical card issuance',
'identity_theft_risk': 'Potential risk due to exposed records',
'operational_impact': 'Disruption in card production; applicants '
'receive letters as proof of entitlement',
'systems_affected': 'External card-printing provider systems'},
'investigation_status': 'Ongoing',
'references': [{'source': 'RTÉ Raidió na Gaeltachta'}],
'regulatory_compliance': {'regulations_violated': 'Potential GDPR violation '
'(data breach notification '
'requirements)',
'regulatory_notifications': 'Notified Ireland’s '
'Data Protection '
'Commissioner'},
'response': {'communication_strategy': 'Notified Data Protection '
'Commissioner; public statement via '
'RTÉ Raidió na Gaeltachta',
'containment_measures': 'Suspended card production; activated '
'cybersecurity protocols',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Issuing letters as proof of entitlement; '
'provisional EHIC certificates; digital '
'versions available via HSE Health App',
'remediation_measures': 'Collaborating with affected provider to '
'assess scope of exposed data'},
'stakeholder_advisories': 'Healthcare providers (GPs, pharmacies) advised to '
'verify eligibility through digital channels',
'title': 'HSE Halts Plastic Medical Card Issuance Following Third-Party '
'Cyber-Attack',
'type': 'Data Breach'}