As experts in Data Protection we have got numerous phone calls in the past few days in relation to the HSE Cyber Attack. Many people are genuinely worried what the implication of this attack are for them. For now, it is too early to say with any degree of certainty, but as time passes the true cost and implications of this attack will become clear.
It appears at this stage that hackers have got access to certain health data relating to individuals. How they got his would be speculation at this stage, however the very fact the HSE system was compromised to the degree it has been points to the fact security systems were not adequate.
The European Union General Data Protection Directive (EU GDPR) places an obligation on data controllers (such as the HSE) to provide for an appropriate level of security (Article 32). The GDPR provides that assessing the appropriate level of security, account shall be taken of the risks inherent in the processing. In a nutshell, the more sensitive the data, the better the security should be. Health data would, generally be viewed as the most sensitive and deserving of the highest level of security considerations.
The good news is that most mass hacking events have not led to the widescale publishing of individuals data. In many cases individuals whose data was stolen were simply left wondering was their personal data ever used or misused after the hacking event. Equally; it has been hard for individuals to successfully seek compensation from data controllers who did not adequately secure their systems. The EU GDPR did change this system for the better, and it is now easier for an individual to succeed in a claim for compensation.
Since the implementation of the GDPR, Section 117 of the Data Protection Act 2018 allows for an individual to bring a “Data Protection Action” in the Circuit and High Courts. Here at O’Dowd Solicitors, we have several of these actions in being, and we anticipate we will be bringing many of them against the HSE should it transpire in the coming days and weeks that certain data has indeed fallen into the wrong hands. If you would like to be kept up to date in this regard, please contact us.
Any details furnished will be kept solely for the purpose of keeping you up to date with the HSE Cyberattack and no other reason. (and your details will be kept secure!)
Mícheál O’Dowd is the co-author of Cyber Law in Ireland (2015) and advises extensive on Data Protection and IT Law matters.