We have been a little quiet with our updates on this in the last number of months. It remains something of a mystery to us why 12 months after the hack the HSE has not informed any service users that they data may have been accessed in the course of the attack. The obligation to notify data subjects of a breach is a requirement of the GDPR. To date it seems only the Mercy Hospital in Cork notified data subjects that their data was accessed, and only those whose data was placed on the “dark web” were notified. This falls far short of the obligation the GDPR placed on the HSE and its affiliated hospitals.

At present we have a number of live cases against the Mercy Hospital on behalf of data subjects who found their data was placed on the dark web. While it would not be proper to comment other than in a general nature on the cases which are before the Courts, we are surprised at the approach being adopted by that hospital in defending these cases. We hope to be in a position to publish more information in the near future however.

If you have been the subject of a data breach either as a result of the HSE hack (or otherwise) please do contact us. You may be entitled to compensation, and we will be more than happy to assess your complaint on a complimentary basis.