We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


HSE facing 473 lawsuits after Russian cyber attack

14 May 2024 data law Print

HSE facing 473 lawsuits after Russian cyber attack

The Health Service Executive (HSE) is facing 473 data-protection lawsuits as a result of the 2021 cyberattack.

RTÉ News reports that there have also been 140 pre-action letters issued to the HSE.

The proceedings relate to data protection and make claims of alleged psychological damage.

Cybercriminals, carried out the ransomware attack.

The State Claims Agency (SCA) is handling 12 personal-injury claims taken against the HSE, linked to the cyberattack, with lawsuits in respect of 11 of these.

The ransomware attack, three years ago today (14 May), saw patient information illegally accessed and copied, allegedly by Russian hacking group Conti.

'Frail' system

A subsequent probe found that the HSE was operating on a frail IT system and did not have proper cybersecurity expertise or resources.

The HSE wrote to 90,936 affected individuals and 1,445 people requested follow-up information under Data Subject Access Requests (DSAR).

The HSE estimates the cost of the cyberattack at €102 million.

The Comptroller and Auditor General said that the HSE would need to spend almost €657 million on security upgrades.

"Let's be very clear, we are going to see more cyberattacks in the future on public agencies," said Fianna Fáil Senator Malcolm Byrne in the Seanad last week.

"This is happening not just in Ireland, but globally," he warned.

"The HSE attack in 2021 should have been a real warning to us, and it's not just about the HSE, it's about all public services," Byrne said.

"It is critical now that the senior posts dealing with this issue are filled within the HSE, but also that there are learnings right across the public sector to ensure that other areas of vital services aren't similarly attacked in the future," he added.

The HSE said that Damien McCallion will take up the position of chief technology and transformation officer (CTTO) on 1 June.

The role of chief information security officer (CISO) has been re-advertised by the Public Appointments Service and the closing date for applications is 16 May.

Both roles are currently filled on an interim basis, RTÉ reports.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Copyright © 2024 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.