On the 5th April 2002 a hacker gained access to the Stephen P. Teale Data Center in California. The nondescript data centre was used by the state to process personal data relating to state employees. In total it is said that private information relating to 265,000 state employers was compromised on that day. The existence of hack was not made public by officials until the 24th May that year.
On 6th June 2002, the Californian Senate Committee on Privacy, held an informational hearing on the incident to explore why the breach was not disclosed in a more proactive and timely fashion. Testimony at that hearing revealed that during the time it took to disclose the data breach unauthorised persons in Germany attempted to access one state workers’ bank account and another had an unauthorised change of address attempt made on her credit card account.
So why are we discussing something that happened over 20 years ago in California? The reason is that the attack on the Stephen P. Teale Data Center all those years ago is credited with creating the momentum to pass California Senate Bill 1386. This law was of the first “data breach notification” laws worldwide, and an early ancestor of similar provisions in the GDPR.
The Californian Law was enacted more than 15 years before the GDPR saw the light of day. It was far more limited that the provisions of the GDPR, but it recognised the importance of early notification to data subjects. Being notified of a hack quickly meant people could take steps to safeguard their interests (e.g. change passwords, monitor their credit records, be aware of scam communications) and take appropriate preventative measures.
Fast forward to today. We are now some 18 months after the HSE computer system was hacked, but the HSE are only now starting to contact people to inform them that their data was stolen. This is in a world where the HSE is obliged to “communicate the personal data breach to the data subject without undue delay” (Art 34 GDPR)
Even though it is conceivable that the HSE may have known for a long time that an individual’s data was compromised by Russian hackers, they are giving themselves until into April 2023 to inform the individuals concerned. It certainly stretches the common understanding of the word “undue delay”.
National media has now informed us that 94,000 patients and approximately 18,200 members of staff will be contacted. Considering that the Mercy Hospital in Cork was able to advise people of the bare fact some of their data was leaked onto the dark web within weeks of the hack occurring (much to the chagrin of the HSE we think) it seems odd that the HSE is taking so long.
It remains our view that most of the 112,000 or so people will have a cause of action against the HSE or individual hospitals. FOI documents obtained by this office suggest that the genesis of the hack was because of poor security, obsolescent PCs and a general lack of training and awareness among staff. The hack did not necessarily occur because of the technical brilliance of the hackers, but because of organisational indifference.
The level of damages that one might recover from the HSE is notoriously difficult to predict, and the caselaw emanating from the ECJ is fluid with a number of important cases to be decided on the issue in the coming months. One of the most noteworthy at the moment is that of Österreichische Post where the advocate General (an advisor to the Court) proposed that compensation should only be available to those who suffered genuine non-material damage, and not a mere upset. It is questionable if the ECJ will follow AG Manuel Campos Sánchez-Bordona down this particular line of reasoning.
Notwithstanding the views of the Advocate General the unauthorised disclose of personal health (or employee) information is likely to cause more than “mere upset” for those affected. The inordinate delay here by the HSE in informing individuals cannot be ignored in this context either.
Since the start of this incident this firm has issued numerous sets of proceedings against the Mercy Hospital in Cork arising from the 2021 data breach and these are proceeding through the Courts at present. We have been slow to issue any proceedings against the HSE until they complied with their obligations under Article 34 GDPR, but we expect to be reaching out to those who have contacted us in the past shortly. We will happily assist any individuals concerns that their rights pursuant to the GDPR are not being adequately respected regarding this issue (or others)
If you wish to learn more please contact us in confidence for a complementary consultation on the issue without any obligation to instruct us further.