State could face huge damages claims for cyber attack

Cyber Attack

7 August 2021

Should the HSE’s security defences be found to have been lower than the required standard, people and companies who have had their data compromised can sue in the courts under GDPR.

Individual civil legal claims by people whose data has been compromised could total in excess of €15,000 in each instance, according to Daragh O’Brien, managing director with Castlebridge, a data consultancy.

“In terms of civil liability in data cases, historically cases tend to be settled out of court, so there are a lot of unknowns. 

“Previous cases have ranged around €15,000, one in Cork finished at €30,000,” he said, adding that any businesses whose data was exposed will also be in a position to take a commercial lawsuit.

“There aren’t many precedents, but that is going to change after this,” he said.

TJ McIntyre, associate professor of law at University College Dublin, said “it will depend on the degree of fault on the part of the HSE”.

He said a data claim does not count as strict liability, that is, if the HSE had protected itself to a reasonable extent then it can defend itself.

“It is possible that you could take all available steps and still find yourself compromised,” Mr McIntyre said.

He added, however, that while the focus may be on people having their data stolen, “sick people are even more badly affected by their data not being available so that they can be treated”. 

If someone can’t get their radiation oncology for two weeks, and they die because the attack wasn’t mitigated for — then you’re dealing with a direct threat to life, and that’s a data protection outcome.

The news comes as it emerged that some personalised medical data of Irish patients has been shared online in a bid by the attackers, a Russian group known as Wizard Spider, to further their claims for a $20m ransom, which the State has so far insisted it will not pay.

Patient data is 10 to 15 times more valuable than credit card data when sold on the Dark Web, according to a cyber security expert at the University of Ulster.

Professor Kevin Curran said health files offer permanent and extremely useful information about patients to criminals, such as date of birth, addresses, and family connections, which can be sold on for profit.

“The professionals online put that together with other records and they sell it for a lot more money. Then loans can be taken out or false identities can be issued based on this,” he said.

Prof Curran said the scale of this hack has actually caused some disquiet among the hacking community.

“Some of the main ransomware providers who take a cut off the attacks are saying they are going to try to stop ransomware infecting health systems and critical infrastructure,” Prof Curran said. 

“This is the first time we have ever heard this from the hackers.” 

In the Dáil, Labour leader Alan Kelly said the ransomware attack is escalating into a serious national security crisis. He said he had been contacted by a local GP in his constituency about a breach of patient data related to the hack.  

“One of his patients had been contacted by a medical organisation from outside the State with all his details as regards a procedure he needed and his medical history,” Mr Kelly said. 

“This organisation knew exactly what he required medically and was offering, in a short period, to be able to provide the operation he needed because it could see he was not going to get it for some time as a public patient.”

Responding, Taoiseach Micheál Martin said anyone who receives similar contact should report this to the gardaí, adding that he is limited in the amount of information that he can release on the matter in order to keep the details of the State’s response hidden from the attackers.

Follow us for the latest updates & news

Recent News

Judges should avoid ‘parental alienation’ term, report suggests

Parental alienation is a “highly controversial” concept and the use of the term in Irish legal settings should be treated with serious caution, researchers have said. Though the term is being used increasingly often by Irish judges, they “do not appear to use an...

Runaway jury

The proposed abolition of the legal right to trial by jury in High Court defamation proceedings strikes not just at an ancient legal right, but also at the concept of the participation of the public in the administration of justice, argues Mr Justice Bernard Barton.

Opinion: “No Collision, No Claim” The wrong decision?

Did the judge get it wrong in the recent case of a woman whose personal injury claim was dismissed due to lack of a collision? In my humble opinion, I would venture to say yes. The plaintiff in question alleged that she sustained injuries when she was compelled to...

Recent Articles

Solicitor’s Fees in Ireland

Understanding the various ways solicitors charge their clients in claims cases in Ireland, including hourly rates, fixed fees, and conditional fees (with restrictions), is important for those seeking legal representation, and utilising the Irish Claims Authority is an alternative to consider.

Alternatives to litigation in Ireland

Overview of alternatives to litigation Reference to arbitration is commonplace in commercial contracts. However, there is an increasing trend towards consent-based forms of ADR such as mediation and expert determination as more flexible and cost-efficient ADR...

Private Investigator use in Ireland

Private investigators are individuals who are hired to carry out investigations on behalf of individuals or organizations. In Ireland, the use of private investigators is governed by a range of laws and regulations. In this blog post, we will explore the use of...

Join our Panel

You May Also Like...

Runaway jury

Runaway jury

The proposed abolition of the legal right to trial by jury in High Court defamation proceedings strikes not just at an ancient legal right, but also at the concept of the participation of the public in the administration of justice, argues Mr Justice Bernard Barton.

Don`t copy text!