If you’ve recently applied for a plastic medical card or any other healthcare card through Ireland’s Health Service Executive, you might have noticed something different in the mail — or rather, the lack of it. This sudden medical card cyberattack targeted an external card-printing provider, not the HSE’s own network. While that sounds concerning, the good news is that your access to healthcare services hasn’t been affected at all.
Why can you still see a doctor without that physical card? Because healthcare providers can verify your eligibility through digital channels instead. So, whether you need a routine check-up or a prescription, the plastic card pause won’t stand in your way. The HSE cyberattack did lead to a healthcare card issuance halted situation for new and renewed cards, but the HSE was quick to clarify that its systems remained secure — only a small number of its records were accessed, meaning the core data infrastructure wasn’t compromised. This means you can keep using your existing services as usual, even while the printing side of things gets sorted out.
Which Medical Cards Are Affected by the Cyberattack?
The pause covers a range of plastic healthcare cards issued by the HSE, but digital verification ensures continuity of care. The affected medical cards include plastic medical cards, European Health Insurance Cards (EHIC), GP visit cards, drugs payment scheme cards, and long-term illness cards. These are all physical cards that were printed by the external provider hit by the cyberattack. If you already hold one of these cards, you can continue using it as normal — the issue only affects the printing and issuance of new or replacement cards.

For those waiting on a card, there’s reassuring news. Service providers use digital channels to verify your eligibility, so there is no impact on access to healthcare services. This means you can still visit your GP, access hospital care, and use other services without interruption. The card types paused are all handled the same way: your eligibility is checked electronically at the point of care, so you don’t need a physical card to receive treatment.
As a practical workaround, applicants for these cards will receive a letter confirming eligibility, which can be used as proof of eligibility. This letter acts as a temporary substitute until the plastic card arrives. The medical card cyberattack specifically targeted the printing process, not the eligibility system, so your healthcare access remains secure and uninterrupted. Digital eligibility verification ensures that the pause in plastic card production doesn’t create any gaps in your care.
Details of the Data Breach: What Records Were Accessed?
That assurance about your healthcare access being uninterrupted is important, but you’re probably wondering what really happened behind the scenes. In this medical card cyberattack, the HSE has confirmed that its own core systems were never compromised. The breach occurred on an external provider’s platform that handles the plastic card production process. However, a limited number of HSE records that were stored by that third party were accessed during the incident.
So what kind of data could be involved? The exact number and type of records that fell into the wrong hands are still under review. The HSE is working closely with the external provider to piece together the full picture. It’s a careful process—they need to determine which specific fields (like names, addresses, or card details) may have been exposed without jumping to conclusions. Because the provider is not part of the HSE’s own eligibility system, the breach is isolated to the data shared for printing purposes.
From a legal and regulatory standpoint, the incident was reported to the Data Protection Commission (DPC) on 27 May. The DPC has received a breach notification and is currently assessing it. This notification is a standard requirement under GDPR when personal data may be at risk. It means independent watchdogs are now scrutinizing the data breach details to ensure proper steps are taken. For you, the practical takeaway is that the HSE records accessed are a limited subset, and authorities are actively investigating—so you can expect more clarity as the review progresses.
How to Prove Eligibility Without a Plastic Medical Card
While the cyberattack has disrupted plastic card production, you can still access healthcare services and prove your eligibility through alternative methods. The key is knowing which documents or digital tools to use, and the process is straightforward.

If you have applied for a medical card, you will receive a letter confirming your eligibility. This letter acts as temporary proof, so keep it with you when visiting a doctor or hospital. It is a simple paper-based solution that works just as well as the plastic card for your appointments.
For those needing healthcare abroad, the situation is slightly different. Instead of plastic European Health Insurance Cards (EHIC), the authorities are issuing Provisional Replacement Certificates. You can request one of these to cover your treatment while traveling. It serves as a valid alternative, so you won’t miss out on necessary care.
Another practical option for adults is the HSE Health App. You can use it to access a digital version of your EHIC card directly on your phone. This eliminates the need for a physical card entirely and is a reliable way to prove eligibility on the go. Simply download the app, log in, and your card details will be available instantly.
These eligibility proof alternatives are designed to keep the system running smoothly despite the disruption. Whether you rely on a temporary medical card letter, a Provisional Replacement Certificate, or the app, you have clear options to avoid any gaps in coverage. The process is efficient, so you can focus on your health rather than paperwork.
Timeline of the Cyberattack and HSE Response
The HSE acted swiftly after being alerted to the breach, but the duration of the card issuance pause remains unclear. Understanding the cyberattack timeline helps you see exactly what steps were taken and where things stand now.
According to the HSE, the agency was alerted to the medical card cyberattack on the evening of 26 May. By the following day, 27 May, it had already paused all card issuance to prevent further data exposure. That same day, the HSE reported the incident to the Data Protection Commission (DPC), as required by law when personal data may be at risk. The HSE is now working closely with the external provider to review exactly which data was impacted during the breach.
If you want to go deeper, it is also worth a look at Download Jamboree Game Maker Free for iOS.
The HSE response has been methodical so far: contain the breach, notify the regulator, and assess the scope. However, the agency has not yet announced a timeline for resuming normal card issuance. The HSE will assess the need to notify individuals whose data may have been impacted, but no specific dates have been given for that process either.
This leaves many people wondering about the card issuance pause duration. While the pause is indefinite for now, the HSE has emphasized that it is prioritizing security over speed. If you are waiting for a new or renewed card, the temporary alternatives mentioned earlier — like the medical card letter or the Provisional Replacement Certificate — remain your best options in the meantime.
Responsibility and Risk: What Patients Should Know
While those temporary measures help with day-to-day access, the bigger concern for many patients is what this breach means for their personal data. The Irish Patients’ Association has made it clear that outsourcing does not outsource responsibility. In their view, every patient whose information was accessed deserves to know exactly what happened. This raises important questions about data security responsibility and who ultimately answers when a third-party provider is involved.
The Health Service Executive (HSE) has stated that its cyber security protocols were activated immediately upon alert. Work is ongoing to contain the breach and assess the full scope of the incident. The HSE will assess the need to notify individuals whose data may have been impacted, so not everyone affected will necessarily hear directly — but those whose information was compromised should expect official communication.
For now, no specific risk of fraud or identity theft has been confirmed. Still, caution is wise. If you hold a medical card, here are a few practical steps you can take:
- Monitor your financial accounts for any unusual activity, even though no direct link to financial data has been reported.
- Watch for phishing attempts — scammers sometimes exploit news of a breach to send fake messages posing as the HSE or your health provider. Never click links or share personal details in unsolicited emails or texts.
- Wait for official notification from the HSE before taking any further action. If you are contacted, follow the guidance provided.
This incident serves as a reminder that third-party provider risk is real, and that data security responsibility ultimately rests with the organisation you trust with your information. Staying alert and informed is your best defence.
Frequently Asked Questions
Which medical cards are affected by the medical card cyberattack?
The cyberattack has primarily disrupted the issuance of new plastic medical cards. Existing cards already in your possession remain valid for use. The HSE has not reported any impact on digital or temporary cards currently in circulation, focusing the disruption on new physical card production.
How can I prove my eligibility without a plastic medical card?
You can use your existing plastic medical card if you still have one. If you are waiting for a new card, the HSE provides alternative proofs like a printed digital letter or a confirmation from your local health office. Always carry a form of photo ID along with any temporary documentation you receive.
Were my HSE records compromised in this attack?
The HSE has stated that the cyberattack targeted card production systems, not the central patient database. Your medical records remain secure and unaffected. However, it is always a good practice to monitor your account for any unusual activity if you receive updates from the HSE.






