The recent ransomware attack on the HSE I.T. systems causing Hospitals and G.P practices to shut down some 18 months ago has once again been the highlight of media reports in the last few weeks. While the focus has been the immediate disruption caused, the potential exposure of sensitive citizens data is now well known.
Data breaches by the HSE are not uncommon. In February of this year, a new Covid-19 vaccination rollout I.T. system was established and backed by Salesforce CRM and IBM who won a State Tender to provide the service. However due to 52 data access points within the system, a significant data breach occurred mainly due to employee error.
Furthermore, it was reported recently that warnings were made about “weaknesses” in the Health Service Executive’s computer systems three years ago. Issues were identified with “security controls” and “disaster recovery protocols” by internal audits which were flagged in HSE annual reports for two years in a row.
The HSE have commenced contacting those affected (approximately 112,000 individuals) with the first 300 being contacted this month. The HSE have allowed themselves until April 2023 to contact all those affected.
WHAT DOES THIS MEAN FOR THE IRISH PUBLIC?
Due to the ransomware attacks and previous data breaches, an enormous amount of sensitive data to include PPS Numbers, date of births and other personal records can be sold online on the Dark Web to the highest bidder who with the use of social engineering can use this information for fraudulent purposes at a significant cost to the victims whose data has been used in this way. For such victims, the main recourse is to pursue a claim under the GDPR Regulations which are governed in Ireland under the Data Protection Act 2018.
There are two avenues of complaint:
- A complaint to the Data Protection Commissioner (DPC)
As the DPC can reach findings about whether there has been a breach, the DPC cannot award compensation but if liability is in question, then the DPC may be able to clarify the matter before proceedings are issued.
- A Data Protection Action in either the Circuit Court or High Court under S.117 Data Protection Act 2018.
Under GDPR a data controller or a data processor such as the HSE must contact you and inform you that your personal data has been breached. However due to the recent media coverage it may be disproportionate for the HSE to establish contact. If you believe your data has been breached, you should contact the HSE directly to clarify whether it has.
Prior to the GDPR, the Irish High Court held that only material damage was compensable. However, Article 82 of the GDPR establishes a right to compensation for a data subject who has suffered either material or non- material damages as a result of the breach. Such loss has been difficult to quantify but recent persuasive UK Authorities have ruled that compensation can be awarded for loss of control over personal data, even where there was no pecuniary damage or distress. However, in Ireland, it will be necessary to show such loss from a psychological point of view. The Irish Courts have repeatedly ruled that upset or distress short of psychiatric injury is not recoverable in tort. Therefore, you would have to make a claim through the Personal Injury Assessment Board for a claim for such injury and to do so within 2 years despite the fact that the GDPR statute allows for 6 years. It may be the case that any such data used for fraudulent purposes will allow one 6 years to take a case to the Circuit or High Court for material damage.
In the last month, the HSE has started to contact the 112,000 individuals affected by this and have allowed themselves until April 2023 to notify those affected. This is alarming to say the least as personal data can be used to create fake bank account, PPS Numbers and fake identities for numerous criminal activities with a potential personal financial loss for those affected.
If you have been affected and have been contacted by the HSE, then do not hesitate to contact us on 021 2390620 or email: anthony.shields@mdmsolicitors.ie and a member of our specialised privacy and data protection experts will be able to advise you.