On the 15th May 2021 the Data Protection Officer (DPO) for the HSE made a data breach notification to the Data Protection Commission. In that notification he said that a day earlier the HSE suffered a data security breach of its IT systems.
After some difficulty we have obtained the official data breach notification pursuant to the Freedom of Information Act. In the notification to the Data Protection Commission the stark facts were set out bluntly; approximately 4.9 million people had been affected by the breach, and the data disclosed to certain nefarious actors included
- Data Subject Identity data (name, surname, date of birth)
- PPSN details
- Contact details
- Identification data (passports, licence data etc)
- Economic and Financial data
- Location Data
Also it was notified to the HSE that special category (or sensitive) data was disclosed including
- Trade Union Data
- Health Data
- Genetic Data
- Biometric Data
The DPO also confirmed the potential consequences for individuals included
- Loss of Control over personal data
- Identity Theft
- Damage to reputation
- Loss of confidentiality of personal data protected by professional secrecy.
The DPO confirmed the risk to individuals of the above was “Severe”. It is pity that the communication to those affected by the breach was not as robust. Instead the Irish public were treated to PR spin, and vague assurances, by the Minister for Heath, the CEO of the HSE, and other spokespeople.
Article 33 of the General Data Protection Regulation (GDPR) requires that in “the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”. This was complied with. No doubt there was further correspondence between the HSE and DPC, and this will come to light in due course. However, Article 33 is only half the story.
Article 34 GDPR requires “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”. It was originally proposed to the Data Protection Commission that data subjects would be communicated to both in the media and personally from the 20th May. This never happened to our knowledge, and the HSE are in flagrant breach of the GDPR as a result.
We wrote the DPO of the HSE seeking an update in respect of the above, and why it was one hospital had communicated the fact certain data pertaining to its patients was on the darkweb, but all other HSE hospitals had remained silent regarding the cyber attack. We received the following response in August:
Thanks for your e-mail. I can confirm that the HSE and our cyber-security experts have being going through in a systematic manner the 4,800 servers, 70,000 end user devices, over 1,200 networked location with 150,000 accounts across 9 active directory domains to detect any indicators of compromise.
The output of this work is now going through a forensic process to determine
if specific personal data was breached during the attack. This is being done in conjunction with relevant funded agencies whose data is stored on HSE systems. The appropriate notifications will be made to any affected data subjects identified during this process. The process is likely to take some months to fully complete but any notifications required will not have to wait until the full process is complete. These can be addressed if/when they come to light.
The disruption you mention below was caused by the attackers encrypting HSE servers to the point where they could not operate without significant remedial work being completed. The fact that the servers were encrypted does not necessarily mean that personal data was breached.
The notifications that you mention below related to the personal data of a number of patients in one particular hospital which was posted on the “dark-web”. This did constituted a data breach and the hospital in question, as the data controller, decided to notify the relevant affected data subjects. Similar notifications will be made should any further data breaches become evident.
Last week, Ossian Smyth, Minister of State at the Department of Public Expenditure and Reform suggested that two reports on the matter were due to be published “shortly”. It appears at the Government have chosen to generate reports rather than comply with their obligations in EU law to let people know if their data was compromised in a timely manner. What is clear is that the HSE are attempting to backpedal furiously from their initial position that a huge amount of data was stolen, and are now trying to make the unconvincing argument that the hackers committed the most unlikely crime of getting access to the ICT system but not touching the data!
At this point, some four months after the cyber attack any reasonable person must accept there is undue delay in communicating to service users if their data was compromised; after all the day after the incident the HSE had a good idea as to the scale of the issue, and people cannot be expected to wait forever for a suitable excuse to be constructed.
On a final note it remains a curiosity that the Mercy Hospital (MUH) in Cork informed the Data Protection Commission that the cyber attack on it commenced on the 13th May 2021 at 03.01, while the attack on the HSE did not commence until 04.30 on the 14th May 2021, over 24 hours later. Internal notes obtained from the MUH under Freedom of Information further confirm that hospital had over 300 obsolete Windows 7 computer machines (since replaced), while the head of ICT of that hospital expressed certainty by the 26th May that the cyber attack at the MUH started by a staff member unwittingly opening an infected file.
The effect on the Irish health service has been profound and is still ongoing. Personal injury actions may emerge from this debacle. We are aware of many cases where people have received sub optimal care as a result of the attack. Those who feel they have been adversely affected should get professional advice. None of this is the fault of the individual care givers, but someone must be held accountable. It all begs the question; did the entire cyber attack start because someone, somewhere (and maybe in Cork), with an obsolete PC open an infected file? If so, then the assurances of Minister Ossian Smyth earlier this week that the HSE was in “in a uniquely vulnerable position at the time” rings hollow and is disrespectful to the public at large.
From our point of view we have issued numerous proceedings under Article 82 GDPR against the Mercy Hospital Cork, and have instructions to proceed against the HSE. It is our view that at this point the delay by the HSE is making notifications pursuant to Article 34 is likely to add to the damages payable to individuals as a result of a breach of the GDPR, and to the ultimate cost of this debacle to the taxpayer.
If anyone would like any further information on their rights under the GDPR in relation to the HSE Cyber attack please do not hesitate to contact us, and we will be happy to assist on a complementary basis. Please contact us here and learn more about the GDPR and HSE Cyber attack here.