It remains something of a surprise to us that there has been so little media coverage of late of the HSE Cyber Attack. Almost two months has now passed since the hacking incident and it appears that health services are still greatly affected and the Health Service Executive remains remarkably reticent to say what happened. They are even slower to say what is being done to remediate matters. We have spoken to a great many people about their experiences since the Cyber attack, and the following seems to be current position:

Health Services

From a health care point of view it seems that certain services, such as blood tests are still severely curtailed. We also understand people are having difficulty in getting scans from hospitals. There is lot of reliance on private facilities in this regard. We also know that getting details for staff on pay and pensions issues remains very challenging. Different hospitals have been affected in different ways.

Some of the private hospitals were not affected at all by the Data Breach/Cyber-attack, and can happily independently verify this fact. More healthcare institutions were paper based, and similarly are not particularly affected. A number of hospital consultants have come out to say that the lack of timely and effective health care services will have adverse consequences for people. Aside from any privacy or data protection issues the fact the Irish healthcare system was so fragile is a scandal.

Privacy and Data Protection

We have written to the HSE and associated hospitals on behalf of a great number of clients, some of whom have very serious illnesses, and who are very upset by their personal data being compromised. We have received some responses, but for the most part the responses are short, unsatisfactory, and do little to inspire confidence that the issue is being taken seriously.

So far, aside from one notable exception, no organisation affiliated with the HSE we have written to has been able to assure the integrity of their healthcare information. The last thing many of our clients wanted to hear was that the security of their data could not be assured. For the most part however it seems that the Health Service Executive and associated hospitals are unwilling to give any further details of the Cyber attack/data breach, even to those individuals who have been directly impacted.

A number of our clients have had their data published on the “darkweb”. Despite our requests for more detail of this, little is confirmed other than the Financial Times located some of it, and more was found on “Virus Total”. The role of the HSE and related organisations appears to have been completely reactive.

The HSE appears to have adopted the legally unsound approach of proposing no breach took place when their servers were compromised, and that the only breach that occurred was when certain data was uploaded to the darkweb. The legally correct view is that the HSE was a data controller that failed to secure data in accordance with Article 32 GDPR, but there has been no admission of this as yet. Equally the PR machine of the HSE seems to be quick to paint the organisation as the victim at the expense of those whose data it did not keep secure in the first place.
There is a certain amount of “back slapping” for securing certain High Court orders against reputable organisations such as the Financial Times and Chronicle Security. This again is little more than window dressing. Sadly, the position remains as of today’s date, that except in limited circumstances, no assurances have been given by the HSE or any related organisation that the sensitive personal data of a vast number of people is safe or secure.

Bogus Phone Calls

There has been much comment on the media about bogus and fraudulent phone calls. For many people these started on or about when the HSE’s system was compromised. Again, there has been no official communication on this, but there is a body of empirical evidence which suggests that a great deal of phone numbers were harvested from CRM/diary systems and it is no co-incidence that those getting a high volume of calls had reason to be in contact with the Healthcare system in the recent past. In the absence of any official confirmation from the HSE in this regard all this remains speculation, but we suspect the true position will emerge sooner rather than later.

Whereto next

At this point we are still gathering information on behalf of clients. As mentioned above we have written countless letters to the HSE seeking reassurance. Reassurance has been sadly lacking. The failure of the HSE to be more forthcoming is now adding to peoples stress and anger. Our calls to the Minister for Health to engage fell on deaf ears.

At this point we anticipate we will be moving to the next phase and issuing proceedings against the HSE (and associated organisations) in the near future for their breach of the GDPR and Data Protection Act 2018.

If anyone would like any further information on their rights under the GDPR in relation to the HSE Cyber attack please do not hesitate to contact us, and we will be happy to assist on a complementary basis. Please contact us here and learn more about the GDPR and HSE Cyber attack here