skip to main content

More than 470 legal actions taken against HSE over cyberattack

A total of 473 legal proceedings have been taken against the Health Service Executive (HSE) arising from the 2021 cyberattack.

Figures obtained by RTÉ News show that in addition, there were 140 pre-action letters issued to the HSE.

The proceedings relate to data protection claims.

The State Claims Agency (SCA) is managing 12 personal injury claims taken against the HSE, linked to the cyberattack, with legal proceedings being served in respect of 11 of these claims.

The personal injury claims relate to the psychological impact of the data breach.

There are a number of legal cases currently before the Courts of Justice of the European Union (CJEU) relevant to the proceedings issued against the HSE.

A stay, pending the outcome of the relevant CJEU cases, has been agreed or has been sought in the proceedings against the HSE.

Today is the third anniversary of the HSE cyberattack.

On 14 May 2021, a major ransomware attack caused widespread disruption and saw information held on computer systems illegally accessed and copied.

Cybercriminals, linked to the Russian hacking group Conti, carried out the ransomware attack.

An investigation identified 'missed opportunities' before the cyberattack

An investigation into the breach found that the HSE was operating on a frail IT system and did not have proper cyber expertise or resources.

It also identified several "missed opportunities" before the attack.

The HSE said it has written to all of the people affected by the cyberattack and the final number contacted was 90,936 individuals.

A total of 1,445 people requested follow up information under Data Subject Access Requests (DSAR).

"The HSE continues to monitor the internet and in particular the Dark Web and to date has not identified any evidence that any data has been shared or used fraudulently following the cyberattack," a HSE spokesperson said.

The HSE that the current estimate as to the total cost of the cyberattack is €102m but a report from the State's spending watchdog, the Comptroller and Auditor General, has found that the HSE will need to spend almost €657m over a seven-year period to implement cyber security improvements following the breach.

Last week, the Seanad was told that senior cybersecurity roles at the HSE have not yet been filled on a permanent basis, and that the HSE is continuing to use an outdated Windows 7 operating system on some of its devices.

'Critical' senior HSE posts filled - Senator

"Let's be very clear, we are going to see more cyberattacks in the future on public agencies," said Fianna Fáil Senator Malcolm Byrne.

"This is happening not just in Ireland, but globally."

"The HSE attack in 2021 should have been a real warning to us and it's not just about the HSE, it's about all public services," Mr Byrne said.

"It is critical now that the senior posts dealing with this issue are filled within the HSE but also that there are learnings right across the public sector to ensure that other areas of vital services aren't similarly attacked in the future," he added.

The HSE said that Damien McCallion will take up the Chief Technology and Transformation Officer (CTTO) role on 1 June.

The role of Chief Information Security Officer (CISO) has been re-advertised by the Public Appointments Service and the closing date for applications is 16 May.

Both roles are currently filled on an interim basis.

"There are multiple ongoing programmes of work focused on addressing all issues highlighted in the wake of the attack, reducing risk, building cyber resilience, and building additional cyber security capability and capacity through the establishment of a dedicated cyber security function under the leadership of a Chief Information Security Officer (CISO) within the HSE," a spokesperson said.

"The HSE manages and responds to thousands of cyber threats annually and takes appropriate action to ensure awareness of current threats," the HSE said.

Mother recalls disruption to medical appointments

Olive O'Connor is a mother of four children with chronic health conditions and is also a volunteer with the Irish Patients' Association.

Olive O'Connor
Olive O'Connor said the cyberattack caused her a lot of stress

She is not taking legal action against the HSE but, three years on, she remembers only too well the disruption and upset the cyberattack caused.

"When we went to our appointments, they had no access to the medical records and we had to be given temporary chart record numbers, which stressed me out a lot because obviously the medical records were really important for my daughter," Ms O'Connor said.

"I was really stressed about it, from the point of view of all of my children, even those who weren't using the health services at the time, wondering what if all their records and medical files were gone," she added.