Stewarts Care, a major Irish disability service provider, has notified personnel that their personal data may have been exposed in a serious security breach at Healthdaq, the recruitment firm through which they were employed. Up to 200 serving and former staff are understood to be affected, with the incident now on the radar of the HSE, the Garda National Cyber Crime Bureau, and the Data Protection Commission.
What Happened
Stewarts Care confirmed to staff that a cybersecurity incident at Healthdaq, a third-party recruitment provider, resulted in unauthorised access to personnel data. The disability service provider did not publicly disclose the precise headcount affected, but the figure is understood to be in the region of 200 current and former employees. The breach is being treated as serious by Irish authorities, with regulatory and law enforcement bodies engaged in the response. Stewarts Care itself was not the direct target; rather, its staff data was compromised through a supplier handling recruitment functions on its behalf.
What Was Taken
The specific data categories exposed have not been fully detailed in the public notification. However, given Healthdaq's role as a recruiter for a healthcare provider, the data held would typically include:
- Full names, dates of birth, and home addresses
- PPS (Personal Public Service) numbers and tax information
- Employment history, references, and CV content
- Garda vetting and background check materials
- Banking details for payroll
- Copies of identity documents
For staff working with vulnerable adults in disability services, exposure of Garda vetting documentation and identity records carries elevated risk beyond ordinary employment data leaks.
Why It Matters
This incident is a textbook supply chain compromise affecting the Irish healthcare sector. Stewarts Care had no direct control over Healthdaq's security posture, yet its staff bear the downstream risk. The breach reinforces a pattern across European healthcare: recruiters, payroll providers, and HR SaaS vendors are increasingly the soft underbelly of otherwise hardened health and social care organisations. With the Data Protection Commission engaged, this will also be a test case under GDPR Article 28 obligations for processors, and the involvement of the Garda National Cyber Crime Bureau suggests authorities suspect criminal intrusion rather than incidental exposure.
The Attack Technique
Technical details of the intrusion at Healthdaq have not been disclosed publicly. The involvement of the Garda National Cyber Crime Bureau strongly suggests an external compromise rather than internal mishandling, consistent with the prevailing threat pattern targeting small to mid-sized recruitment and HR platforms: credential theft via phishing, exploitation of internet-facing applications, or compromise of cloud storage buckets containing candidate records. No threat actor has publicly claimed the breach at the time of publication, and there is no confirmed indication of ransomware deployment versus pure data theft.
What Organizations Should Do
- Map your HR and recruitment supply chain. Identify every third party that holds employee identity, vetting, or payroll data, and confirm contractual security obligations under GDPR Article 28.
- Require breach notification SLAs from recruiters and HR vendors. Contracts should mandate notification within 24 hours of suspected compromise, not days or weeks.
- Treat vetting and identity document storage as a tier-1 asset. Garda vetting, passport scans, and PPS numbers should be encrypted at rest, access-logged, and purged on a defined schedule.
- Monitor for credential reuse and identity fraud signals. Affected staff should be enrolled in identity monitoring; organisations should watch for spear-phishing leveraging leaked HR data.
- Audit recruiter access to your environment. Many recruitment integrations carry standing access to internal HR systems; review and minimise.
- Prepare a third-party breach playbook. When the breach is at a supplier, your incident response must coordinate with their disclosure timeline, regulators, and affected staff in parallel.