State could face huge damages claims for cyber attack

Cyber Attack

7 August 2021

Should the HSE’s security defences be found to have been lower than the required standard, people and companies who have had their data compromised can sue in the courts under GDPR.

Individual civil legal claims by people whose data has been compromised could total in excess of €15,000 in each instance, according to Daragh O’Brien, managing director with Castlebridge, a data consultancy.

“In terms of civil liability in data cases, historically cases tend to be settled out of court, so there are a lot of unknowns. 

“Previous cases have ranged around €15,000, one in Cork finished at €30,000,” he said, adding that any businesses whose data was exposed will also be in a position to take a commercial lawsuit.

“There aren’t many precedents, but that is going to change after this,” he said.

TJ McIntyre, associate professor of law at University College Dublin, said “it will depend on the degree of fault on the part of the HSE”.

He said a data claim does not count as strict liability, that is, if the HSE had protected itself to a reasonable extent then it can defend itself.

“It is possible that you could take all available steps and still find yourself compromised,” Mr McIntyre said.

He added, however, that while the focus may be on people having their data stolen, “sick people are even more badly affected by their data not being available so that they can be treated”. 

If someone can’t get their radiation oncology for two weeks, and they die because the attack wasn’t mitigated for — then you’re dealing with a direct threat to life, and that’s a data protection outcome.

The news comes as it emerged that some personalised medical data of Irish patients has been shared online in a bid by the attackers, a Russian group known as Wizard Spider, to further their claims for a $20m ransom, which the State has so far insisted it will not pay.

Patient data is 10 to 15 times more valuable than credit card data when sold on the Dark Web, according to a cyber security expert at the University of Ulster.

Professor Kevin Curran said health files offer permanent and extremely useful information about patients to criminals, such as date of birth, addresses, and family connections, which can be sold on for profit.

“The professionals online put that together with other records and they sell it for a lot more money. Then loans can be taken out or false identities can be issued based on this,” he said.

Prof Curran said the scale of this hack has actually caused some disquiet among the hacking community.

“Some of the main ransomware providers who take a cut off the attacks are saying they are going to try to stop ransomware infecting health systems and critical infrastructure,” Prof Curran said. 

“This is the first time we have ever heard this from the hackers.” 

In the Dáil, Labour leader Alan Kelly said the ransomware attack is escalating into a serious national security crisis. He said he had been contacted by a local GP in his constituency about a breach of patient data related to the hack.  

“One of his patients had been contacted by a medical organisation from outside the State with all his details as regards a procedure he needed and his medical history,” Mr Kelly said. 

“This organisation knew exactly what he required medically and was offering, in a short period, to be able to provide the operation he needed because it could see he was not going to get it for some time as a public patient.”

Responding, Taoiseach Micheál Martin said anyone who receives similar contact should report this to the gardaí, adding that he is limited in the amount of information that he can release on the matter in order to keep the details of the State’s response hidden from the attackers.

Follow us for the latest updates & news

Recent News

Northern Ireland exam board boss wins £100,000 settlement

Northern Ireland’s Council for the Curriculum, Examinations and Assessment (CCEA) has paid a substantial settlement to its former interim chief executive who complained of sex, race and age discrimination and constructive dismissal. The sum paid to Margaret Farragher,...

Catriona Crumlish v Health Service Executive – Court of Appeal

On Oct. 15th, The Court of Appeal upheld the High Court decision against Caitriona Crumlish in her claim against Letterkenny University hospital. The plaintiff alleged that there was a failure to detect and diagnose breast cancer in May 2017 resulting in an alleged...

Recent Articles

Psychological Injury

Nervous Shock I The law allows recovery of damages for so called nervous shock, within certain parameters and subject to limitations.  Nervous shock is the most commonly used legal label for psychiatric or psychological injury. Psychiatric injuries include...

Public Authorities and Negligence

Powers and Duties In broad terms, public authorities are subject to civil liability for negligence and other civil wrongs, in the same way as private individuals and companies.  The State and other public bodies are responsible for the actions and omissions of...

Duty of Care (Part 2)

Limits to Neighbour Principle The famous neighbour principle re-stated the general basis of liability in negligence. It stated, that “you must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your...

Duty of Care (Part 1)

Meaning of Negligence I Negligence is used in a number of senses.  In one sense, it refers to a person’s state of mind.  An act is negligent, where it is done without giving due weight to the risks involved.  A person  (and his state of mind) may...

Join our Panel

You May Also Like...