Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
PATIENTS AND STAFF whose information was illegally accessed during the criminal cyber-attack on the HSE last year could take legal action against the health service but the executive remains tight-lipped on the scale of litigation it is expecting.
Speaking to The Journal on Wednesday, HSE chief information officer Fran Thompson said that anyone who had their data breached is entitled to take legal action if they choose to do so.
“It’s not for me to speculate on. Everyone has the right to take legal action, the GDPR legislation is very clear about how, why and where you can take legal action,” he said.
His comments come after the HSE began contacting 113,000 people who had their information stolen during the ransomware attack in May 2021. Of those, around 94,800 are patients and around 18,200 are staff.
People being notified are being sent a letter telling them what part of their personal information was impacted. The HSE is also apologising in the letters to the people being notified that this happened.
The letter outlines how, if they wish to do so, people can then request to view their exact documents which were illegally accessed and copied.
Thompson explains that any suits filed would be “a circuit court type of action and a lot of it comes down to was the data utilised and if people suffered individual loss around that”.
He added that it was not up to the HSE to advise on whether people should take action or not, adding that everybody “can decide for themselves”.
Fred Logue, a solicitor who works for a firm specialising in data protection and information law, told The Journal that patients and staff are entitled to compensation for material and non-material losses under general data protection regulation (GDPR).
“Say someone gets your bank account number and steals money from your account. You’re entitled to be compensated for that. What is a non-material loss is not as clear cut,” he said.
“Traditionally in Ireland you can’t get compensation for those kinds of losses, just for distress or upset. It has to be a recognisable loss under Irish law.”
Logue said that since GDPR was introduced in 2018, it clarified that under EU law, Irish citizens could get compensation for non-material loss.
The HSE said it has been monitoring the internet including the dark web since the cyber-attack and has seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online.
But Logue said that just because the files have so far not appeared on the internet since they were stolen does not mean those who had their information stolen cannot file a claim.
“It’s not only disclosure. I think people forget that unlawful disclosure is only one form of data breach. A data breach can be breach of security leading to accidental or unlawful destruction, loss, alteration, and unauthorised disclosure of or access to personal data,” he said.
“It can be a personal data breach if your data is destroyed or lost or becomes unavailable. The issue of a data breach is not just disclosure. It could be access, it could be destruction, loss. So just saying nobody got access, nobody can find it on the web is not a complete answer. Say your medical file was destroyed. That’s a very significant data breach, but nobody’s got access to it.
If they’re trying to say that it was limited, they only got your pin number – that’s limited information, but it’s enough to get into your bank account. Or saying no pin numbers were disclosed for example, but maybe your password was disclosed.
“The question is what was actually disclosed, and what’s the effect of it, not whether it’s limited or a small amount or whether people couldn’t find anything on the dark web. They’re answers to different questions.”
The HSE also said that the data that was illegally accessed and copied was found to contain a mix of personal, medical, employee and financial information.
The medical information related to lists of patients receiving treatment, vaccination lists, medical notes and correspondence with patients and notes, treatment histories, while the financial information was limited and mainly related to staff travel expense claims’ data.
Logue said that compensation will depend on a case-by-case basis. “You have to look at what information was unlawfully processed or disclosed, and then on an individual basis, what’s the impact of that?
“Say for example, it was highly sensitive information, like a trans person who was undergoing gender reassignment, and that’s disclosed, that would be a very, very significant impact on them. Whereas if it was the fact that you had been to the doctor once or whatever and didn’t really give any details about what it was about, that would probably be on the lower end of the spectrum,” he said.
High Court order ‘not foolproof safeguard’
The HSE obtained a High Court order on 20 May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from its computer systems.
Asked about what might happen if the stolen information does appear on the internet, Thompson said the HSE would utilise the court order worldwide “with anybody who has published or any entity that’s publishing that data”.
“That’s a very clear, very strong court order. It doesn’t name individuals, it says anybody, any person who publishes that data will be in breach of that court order,” he said.
Logue, however, says that the High Court order is “not a foolproof safeguard”.
“When the information has gone abroad, for example, a High Court order has no effect. If it’s gone to the Russians or whoever, they’re not exactly going to be worried about a High Court order,” he said.
He also questioned the time in between the data being breached and the HSE’s data breach notification programme.
There’s a lot of delay here. It’s really odd that they’ve taken over a year-and-a-half to notify people and they’re saying that they’re not going to finish notifying people until April next year.
“Why has it taken so long to do this? That’s the question I’d be asking as well. Like, you know, you’d imagine that they should act promptly in telling people what’s happened, particularly when it’s the HSE.”
The HSE said that after gardaí returned a copy of data that was illegally accessed and copied to them on 17 December 2021, it has examined, reviewed and cross-checked each document in detail over a number of months.
It said this process involved sanitising the data to make sure that the records were correct, taking steps to identify the 113,000 individuals, verifying their identity and ensuring that their contact details were up to date.
Logue believes that the nature of what was stolen will determine whether people will file a legal claim or not.
At Cabinet this week, Health Minister Stephen Donnelly and Children’s Minister Roderic O’Gorman brought an update on the work of their departments, the HSE and Tusla since the cyber-attack.
They noted that it is probable that some legal claims could be lodged after the data notification process, and that the two Departments are engaging with the Attorney General to ensure claims are dealt with “in a manner that has due regard to the rights of the data subjects and relevant cases being considered by the Court of Justice of the European Union, and takes account of the likely costs to the Exchequer”.
The Circuit Court and High Court currently have jurisdiction to hear a data protection action in Ireland. However, new legislation proposes allowing giving the District Court jurisdiction to hear data protection actions.
The Courts and Civil Law (Miscellaneous Provisions) Bill 2022 proposes allowing for the District Court to “have jurisdiction, concurrently with the Circuit Court and the High Court, to hear and determine an action taken by a data subject in respect of his or her rights under the Data Protection Regulation and, for that purpose, to amend the Data Protection Act 2018”.
The Bill is currently at the third stage in the Dáil. Logue said this would make it easier for people whose data has been breached to take a claim if they wished to.
To embed this post, copy the code below on your site
Waiting time for what? If you are in the Emergency Department, it is the same for public and private patients….if you are on a waiting list there is a big difference.
There is no difference between insured and not insured turning up at A&E. The difference is the waiting lists. It’s a gamble, health insurance cuts waiting time for surgery, but is it worth the money?
My question is it worth having health insurance?. My experience so far is my waiting time is practically same. What is others experience?
Mt father has severed with a heart condition for over 15 years , despite the fact he never smoked or drank in his life. He is a member of the VHI and I firmly believe he would not be alive today if he wasn’t. Though the premiums are very stiff for pensioners at the first sign of trouble he is admitted to the Bons Hospital in Cork and gets the care he needs. There is no price too high to know he is never left waiting on a bed or lying on a trolley in some draughty hall. He has worked hard all this life and it’s the very least he deserves.
if the industry is in decline, why did 2 companies join the competition for business.
Money, plain and simple. The general insurance market has annual premiums of approx €1.6 billion pa and about 13/14 main providers. Private health insurance markets annual premiums approx €2 billion and only four providers. Glohealth and Aviva are targeting the younger members of the market by not providing full orthopaedic cover on many of their plans, which does not appeal to the older (riskier) consumers out there.
That was before this came into effect see how quick they are gone when it does come in
Can I ask is there any point in having children’s private health insurance? There are no private beds in children’s hospitals are there? And if your child has a condition you can be assessed privately but you can’t go privately for treatment I think, am I right? So you just end up on a list like everyone else. I am a mum with health insurance for my children by the way.
Susan, for me it’s a question of will my child get seriously ill, yes or no? Private health insurance has no benefits over public when it comes to the normal bumps and breaks your child will have. It’s only an insurance againgts the really serious illnesses that a child may have. Now this is my only personal opinion of course :)
Also I must add that it’s no use having public hospitals that double up as private ones. My wife, who has private health care through work was left on a trolley in St. Luke’s after having surgery because there was not a bed (she supposedly was entitled to a private room!)
Yeah Steve. I’ve experienced something similar, and imagine my shock when my health insurer sends me the invoice a few months later, and I discover that the hospital have charged for private accommodation.
If you have school children and you obtain the 24 hour school insurance that also includes school holidays is it worth having a separate health insurance for them as well?? This is a regular topic of conversation in work and no one seems to know the correct answer!!
Mine is up for renewal and I am buying prize bonds from now on with the money hopefully if and when it’s needed there might be enough to cover me and also I might win a few bob being asked to pay twice for insurance and them to be levied is a disgrace
When my son was a baby he needed an mri of his brain and though we had private health cover, he had to wait 14mths on one as there are no private mris for children. I’m not sure it’s any use though I still pay it.
Oh goodness, poor little guy! From what I read / hear this is common, health insurance for kiddies doesn’t speed up the process at all and that’s worrying.
Gavan, with respect, your headline is misleading. In fact the only one of the four insurers who called today for the levy to be scrapped is GloHealth. (I watched this today, and the others didn’t ask for it to be scrapped). They called for this to be scrapped to attract younger people into the market. The levy is used to fund discounts for older and sicker people, so it’s not surprising that GloHealth want it ended. As a brand new health insurer they are likely to have very few older customers like the other insurers who have been around much longer.
GloHealth are the same people who set up Vivas Health. They are trying to push an American style of health insurance in Ireland. They lobby government intensely.
Here’s a radical way of cutting down on health insurance costs!!!! Cut the bloated payments to hospital consultants! It’s a crime that hospital consultants are earning over €500k a year between public and private work.
A lot of people are under the impression that if you go into a public bed in a public hospital there are no charges. Unless you have a medical card you will be charged for a public bed.
When health insurance was discussed on midweek a few months ago the experts opinion was in favour of people having health insurance if they dont have a medical card. She said that kids should have only the basic level of cover as there are no private childrens hospitals in ireland.
All part of the drive to price health insurance based on risk. Welcome to America.
have your say