Data Breach Actions (including 2021 HSE data breach)

Data Breach Actions (including 2021 HSE data breach)2023-05-18T09:08:21+01:00

Actions for Data breaches are something a novel cause of action in Irish Law. The possibility of bringing such an action has existed for many years, but the grounds from bringing such a case was quite restrictive. The GDPR changed this position, and this, along with massive proliferation in data collection has meant an inevitable growth in claims being brough when things go wrong.

In May 2021 it became known that a data breach had occurred on HSE IT systems. The scale of the breach was unclear at the start,but it has since become quickly eviden than the personal details of most service users of the HSE has been exfiltrated by “hackers”, and the entire Irish Heath System disrupted. It is almost unquestionably the biggest Ransomware or hacking event that has occurred in the World and is a truly exceptional event; the consequences of which we have not grasped as yet. The purpose of this document is to give people information about their legal rights following the attack on the HSE IT Systems.

On the 17th May 2021 we first published a short blog post on our website stating that people adversely affected by the hacking event may be entitled to claim compensation. This drew a strong reaction from the Minister for Health who accused law firms of “potentially licking their lips at the thought of being able to sue the State”, and that any effort to sue the state should be regarded as “distasteful”. Further discussions on various media outlets indicated as a high a level of ignorance of Data Protection law as that exhibited by the Minister.

This firm responded in an appropriate manner to the outrageous comments of the Minister, and we further note the Law Society of Ireland further called on the Minister to apologise to the profession as a whole. Such an apology has not been forthcoming at the time of writing. Despite the Ministers comments, (and a certain amount of hate directed towards us, which thankfully pales in comparison to the supportive comments received both publicly and privately), it is our view that as Solicitors with particular expertise in the area of Data Protection is it our duty to inform and assist members of the public in understanding the Law as it applies to this incident in as fair and impartial a manner as possible. This duty is thrown into sharper relief when it appears that neither the HSE nor Minister for Health appeared to be aware of the rights enjoyed by Data Subjects at the commencement of this debacle.

At this point we can say with certainty that a great many people have state able claims which can be made against the HSE for the events that occurred, and we are inviting people who are worried about the consequences of this data breach to contact us.

1805, 2024

Data Protection Actions – an Update

By |May 18th, 2024|Categories: Firm News, HSE Data Breach, Legal Updates|Comments Off on Data Protection Actions – an Update

The recent (11/04/24) case of Dillon v. Irish Life is further complicating the area of bringing Data Breach Actions. This case suggests that Injuries Resolution Board authorisation is now required for some GDPR claims. Essentially the High Court held that any loss for anxiety and distress arising from a data breach, short of a recognisable psychiatric disorder will require an Injuries Resolution Board (IRB) authorisation. Of course inconvenience and damage don’t require an IRB authorisation. Judge O’Donnell noted   the plaintiff stated that the current practices of PIAB generally require the submission of a form of medical report [...]

2207, 2023

Questions arise over Data Protection and the Decision Support Service

By |July 22nd, 2023|Categories: Firm News, HSE Data Breach, Legal Updates, Uncategorized|Comments Off on Questions arise over Data Protection and the Decision Support Service

Earlier this year the Mental Health Commission & Decision Support Service (DSS) moved a longstanding legal instrument known as an enduring power of attorney (EPA) into an online format. Previously EPAs were a document created by solicitor and were for all intents and purposes a paper documents. The new EPA is one created online using a new DSS portal. Unsurprisingly it was necessary to commission an Data Protection Impact Assessment, but somewhat surprising is that the DPIA commissioned highlights a number of serious flaws, which may well open the DSS and Mental Health Commission to future litigation as [...]

1805, 2023

Data Breaches and “the stay”

By |May 18th, 2023|Categories: Firm News, HSE Data Breach, Uncategorized|Comments Off on Data Breaches and “the stay”

We read with interest the decision of Judge John O’Connor in the Irish times on the 18th May 2023 concerning the application by the HSE for a stay against a plaintiff seeking to recover damages for the breach by the HSE of the GDPR. The claim stems from the 2021 cyber attack which we have commented on extensively and in respect of which we have a number of proceedings in being (although we have no involvement in the above case) At first glance the position adopted by Judge O’Connor seems like an attractive “wait and see” position for [...]

1804, 2023

Micheal O’Dowd, Partner on Red FMs Neil Prendeville

By |April 18th, 2023|Categories: HSE Data Breach|Comments Off on Micheal O’Dowd, Partner on Red FMs Neil Prendeville

Micheal O'Dowd, Managing Partner in O'Dowd Solicitors was invited onto Red FM's Neil Prendeville  show this morning to discuss the "One in Four" data breach as well as giving an update in what is an interesting and ever evolving area of Law. It seems that despite stark warnings companies and organisations are still not taking Data Security seriously and are not taking precautions to avoid incurring legal liabilities. Two years ago the self styled "Alliance for Insurance Reform" saw fit to report us to the Legal Services Regulatory Authority for merely posting on this website that people may [...]

2102, 2023

Data Breach issues continue

By |February 21st, 2023|Categories: HSE Data Breach|Comments Off on Data Breach issues continue

We have been somewhat inundated with queries in respect of the HSE Data Breach. The scale of upset is quite extra ordinary, but by the fact the breach occurred, and the delay by the HSE in notifying data subjects. At this point hundreds of people have made inquiries as to possibility of issuing proceedings against the Health Service for breach of the data protection rights. While experience would suggest that the HSE will attempt to deny liability it is hard to see how these denials will be successful. There is  however a very live issue before the European [...]

1411, 2022

HSE Data Breach – November 2022 update

By |November 14th, 2022|Categories: Firm News, HSE Data Breach, Legal Updates|Comments Off on HSE Data Breach – November 2022 update

On the 5th April 2002 a hacker gained access to the Stephen P. Teale Data Center in California. The nondescript data centre was used by the state to process personal data relating to state employees. In total it is said that private information relating to 265,000 state employers was compromised on that day. The existence of hack was not made public by officials until the 24th May that year. On 6th June 2002, the Californian Senate Committee on Privacy, held an informational hearing on the incident to explore why the breach was not disclosed in a more proactive [...]

Go to Top