Should the HSE’s security defences be found to have been lower than the required standard, people and companies who have had their data compromised can sue in the courts under GDPR.
Individual civil legal claims by people whose data has been compromised could total in excess of €15,000 in each instance, according to Daragh O’Brien, managing director with Castlebridge, a data consultancy.
“In terms of civil liability in data cases, historically cases tend to be settled out of court, so there are a lot of unknowns.
“Previous cases have ranged around €15,000, one in Cork finished at €30,000,” he said, adding that any businesses whose data was exposed will also be in a position to take a commercial lawsuit.
“There aren’t many precedents, but that is going to change after this,” he said.
TJ McIntyre, associate professor of law at University College Dublin, said “it will depend on the degree of fault on the part of the HSE”.
He said a data claim does not count as strict liability, that is, if the HSE had protected itself to a reasonable extent then it can defend itself.
“It is possible that you could take all available steps and still find yourself compromised,” Mr McIntyre said.
He added, however, that while the focus may be on people having their data stolen, “sick people are even more badly affected by their data not being available so that they can be treated”.
If someone can’t get their radiation oncology for two weeks, and they die because the attack wasn’t mitigated for — then you’re dealing with a direct threat to life, and that’s a data protection outcome.
The news comes as it emerged that some personalised medical data of Irish patients has been shared online in a bid by the attackers, a Russian group known as Wizard Spider, to further their claims for a $20m ransom, which the State has so far insisted it will not pay.
Patient data is 10 to 15 times more valuable than credit card data when sold on the Dark Web, according to a cyber security expert at the University of Ulster.
Professor Kevin Curran said health files offer permanent and extremely useful information about patients to criminals, such as date of birth, addresses, and family connections, which can be sold on for profit.
“The professionals online put that together with other records and they sell it for a lot more money. Then loans can be taken out or false identities can be issued based on this,” he said.
Prof Curran said the scale of this hack has actually caused some disquiet among the hacking community.
“Some of the main ransomware providers who take a cut off the attacks are saying they are going to try to stop ransomware infecting health systems and critical infrastructure,” Prof Curran said.
“This is the first time we have ever heard this from the hackers.”
In the Dáil, Labour leader Alan Kelly said the ransomware attack is escalating into a serious national security crisis. He said he had been contacted by a local GP in his constituency about a breach of patient data related to the hack.
“One of his patients had been contacted by a medical organisation from outside the State with all his details as regards a procedure he needed and his medical history,” Mr Kelly said.
“This organisation knew exactly what he required medically and was offering, in a short period, to be able to provide the operation he needed because it could see he was not going to get it for some time as a public patient.”
Responding, Taoiseach Micheál Martin said anyone who receives similar contact should report this to the gardaí, adding that he is limited in the amount of information that he can release on the matter in order to keep the details of the State’s response hidden from the attackers.