Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Friday 1 December 2023 Dublin: -2°C
Cyber Attack

HSE brace for likely legal actions following cyber breach disclosures

Solicitor Fred Logue told The Journal that patients and staff are entitled to compensation for material and non-material losses under GDPR.

PATIENTS AND STAFF whose information was illegally accessed during the criminal cyber-attack on the HSE last year could take legal action against the health service but the executive remains tight-lipped on the scale of litigation it is expecting. 

Speaking to The Journal on Wednesday, HSE chief information officer Fran Thompson said that anyone who had their data breached is entitled to take legal action if they choose to do so. 

“It’s not for me to speculate on. Everyone has the right to take legal action, the GDPR legislation is very clear about how, why and where you can take legal action,” he said.

His comments come after the HSE began contacting 113,000 people who had their information stolen during the ransomware attack in May 2021. Of those, around 94,800 are patients and around 18,200 are staff.

People being notified are being sent a letter telling them what part of their personal information was impacted. The HSE is also apologising in the letters to the people being notified that this happened. 

The letter outlines how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied. 

Thompson explains that any suits filed would be “a circuit court type of action and a lot of it comes down to was the data utilised and if people suffered individual loss around that”.

He added that it was not up to the HSE to advise on whether people should take action or not, adding that everybody “can decide for themselves”.

Fred Logue, a solicitor who works for a firm specialising in data protection and information law, told The Journal that patients and staff are entitled to compensation for material and non-material losses under general data protection regulation (GDPR).

“Say someone gets your bank account number and steals money from your account. You’re entitled to be compensated for that. What is a non-material loss is not as clear cut,” he said.

“Traditionally in Ireland you can’t get compensation for those kinds of losses, just for distress or upset. It has to be a recognisable loss under Irish law.”

Logue said that since GDPR was introduced in 2018, it clarified that under EU law, Irish citizens could get compensation for non-material loss.

The HSE said it has been monitoring the internet including the dark web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online.

But Logue said that just because the files have so far not appeared on the internet since they were stolen does not mean those who had their information stolen cannot file a claim.

“It’s not only disclosure. I think people forget that unlawful disclosure is only one form of data breach. A data breach can be breach of security leading to accidental or unlawful destruction, loss, alteration, and unauthorised disclosure of or access to personal data,” he said.

“It can be a personal data breach if your data is destroyed or lost or becomes unavailable. The issue of a data breach is not just disclosure. It could be access, it could be destruction, loss. So just saying nobody got access, nobody can find it on the web is not a complete answer. Say your medical file was destroyed. That’s a very significant data breach, but nobody’s got access to it.

If they’re trying to say that it was limited, they only got your pin number – that’s limited information, but it’s enough to get into your bank account. Or saying no pin numbers were disclosed for example, but maybe your password was disclosed.

“The question is what was actually disclosed, and what’s the effect of it, not whether it’s limited or a small amount or whether people couldn’t find anything on the dark web. They’re answers to different questions.”

The HSE also said that the data that was illegally accessed and copied was found to contain a mix of personal, medical, employee and financial information.

The medical information related to lists of patients receiving treatment, vaccination lists, medical notes and correspondence with patients and notes, treatment histories, while the financial information was limited and mainly related to staff travel expense claims’ data.

Logue said that compensation will depend on a case-by-case basis. “You have to look at what information was unlawfully processed or disclosed, and then on an individual basis, what’s the impact of that?

“Say for example, it was highly sensitive information, like a trans person who was undergoing gender reassignment, and that’s disclosed, that would be a very, very significant impact on them. Whereas if it was the fact that you had been to the doctor once or whatever and didn’t really give any details about what it was about, that would probably be on the lower end of the spectrum,” he said. 

High Court order ‘not foolproof safeguard’

The HSE obtained a High Court order on 20 May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems.

Asked about what might happen if the stolen information does appear on the internet, Thompson said the HSE would utilise the court order worldwide “with anybody who has published or any entity that’s publishing that data”.

“That’s a very clear, very strong court order. It doesn’t name individuals, it says anybody, any person who publishes that data will be in breach of that court order,” he said.

Logue, however, says that the High Court order is “not a foolproof safeguard”.

“When the information has gone abroad, for example, a High Court order has no effect. If it’s gone to the Russians or whoever, they’re not exactly going to be worried about a High Court order,” he said.

He also questioned the time in between the data being breached and the HSE’s data breach notification programme.

There’s a lot of delay here. It’s really odd that they’ve taken over a year-and-a-half to notify people and they’re saying that they’re not going to finish notifying people until April next year.

“Why has it taken so long to do this? That’s the question I’d be asking as well. Like, you know, you’d imagine that they should act promptly in telling people what’s happened, particularly when it’s the HSE.”

The HSE said that after gardaí returned a copy of data that was illegally accessed and copied to them on 17 December 2021, it has examined, reviewed and cross-checked each document in detail over a number of months.

It said this process involved sanitising the data to make sure that the records were correct, taking steps to identify the 113,000 individuals, verifying their identity and ensuring that their contact details were up to date. 

Logue believes that the nature of what was stolen will determine whether people will file a legal claim or not.  

At Cabinet this week, Health Minister Stephen Donnelly and Children’s Minister Roderic O’Gorman brought an update on the work of their departments, the HSE and Tusla since the cyber-attack.

They noted that it is probable that some legal claims could be lodged after the data notification process, and that the two Departments are engaging with the Attorney General to ensure claims are dealt with “in a manner that has due regard to the rights of the data subjects and relevant cases being considered by the Court of Justice of the European Union, and takes account of the likely costs to the Exchequer”.

The Circuit Court and High Court currently have jurisdiction to hear a data protection action in Ireland. However, new legislation proposes allowing giving the District Court jurisdiction to hear data protection actions. 

The Courts and Civil Law (Miscellaneous Provisions) Bill 2022 proposes allowing for the District Court to “have jurisdiction, concurrently with the Circuit Court and the High Court, to hear and determine an action taken by a data subject in respect of his or her rights under the Data Protection Regulation and, for that purpose, to amend the Data Protection Act 2018”.

The Bill is currently at the third stage in the Dáil. Logue said this would make it easier for people whose data has been breached to take a claim if they wished to.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel