Cyber Security & HSE Data Breach

Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and the unauthorised exploitation of systems, networks, and technologies.

Applicable laws regarding cyber security in Ireland include:

  • The General Data Protection Regulation (Regulation (EU) 2016/679), commonly known as GDPR. This governs the way in which personal data is collected, processed, and distributed in Ireland.
  • The e-Privacy Regulations 2011 (S.I. 336 of 2011), which implemented the e-Privacy Directive 2002/58/EC, more commonly recognised as the e-Privacy Regulations, regulate the way that providers of public telecommunications networks or services handle personal and private data. Similarly, these regulations also require providers to introduce and implement technical, organisational and safety measures to protect the security of its services and report incidents.
  • The Security of Network and Information Systems Directive 2016/1148/EU was introduced into Irish law under S.I. 360/2018 European Union Regulations. However, there have been proposals from the European Commission to revise this Directive.
  • The Payment Services Directive II (Directive 2015/2366/EU) more familiarly known as ‘PSD2’ was implemented into Irish law by the European Union Regulations 2018 (S.I. 6 of 2018). This introduced technical standards to ensure ‘strong customer authentication’ and aimed to enhance payment service safety.
  • It is also possible to seek a remedy under the Defamation Act 2009 or at common law on the grounds of breach of confidence or negligence. This is only possible if the security breach results in the releasing of inaccurate information of the individual.

Despite the apparent dedicated effort of Irish legislation, a new study shows that Ireland is the sixth- least cybersecure nation in Europe. This study analysed and ranked countries on factors including cybercrime exposure, commitment to cybersecurity, social media and email hacks, malicious software, identity theft, cybersecurity legislations and online banking fraud.

This result comes as Ireland suffered the most debilitating, cyber-attack in the history of the State when the HSE infrastructure was severely compromised by a malicious ransomware virus in May 2021. This vicious attack critically damaged the HSE’s ability to deliver acute healthcare for a significant period. This was especially problematic and challenging given the intensity of the Covid-19 pandemic at the time of the attack. This, without doubt, put the HSE under immense pressure and it is estimated that it will cost up to €500m to entirely restore all systems and functions of the HSE’s IT infrastructure.

On 15 May 2021, the Data Protection Officer (DPO) for the HSE made a data breach notification to the Data Protection Commission. In his notification, he announced that on 14 May 2021 the HSE had suffered a data security breach of its IT systems. In the notification, the DPO bluntly set out the facts. 4.9 million people were affected by this breach and the data disclosed included:

  • Data Subject Identity data (name surname date of birth).
  • PPSN details.
  • Contact details.
  • Identification data (passports, licence data etc.).
  • Economic and Financial data.
  • Location Data.

Furthermore, special category data including trade union data, health data, biometric data and genetic data was also disclosed.

The DPO clarified that possible consequences for certain individuals included:

  • Loss of Control over personal data
  • Identity Theft
  • Fraud
  • Damage to reputation
  • Loss of confidentiality of personal data protected by professional secrecy.

The DPO described the threat of the above risks to individuals as ‘severe.’ It was thought that these risks were not communicated correctly and urgently enough to the individuals concerned. The cyber-attack seemed to have had a lot of coverage in the media, but little information was disclosed to individuals personally.

Article 33 of the General Data Protection Regulation requires that in “the case of a personal data breach, the controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” It seems that Article 33 was complied with given the correspondence between the HSE and the DPC following the incident.

Article 34 GDPR states that “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”. Originally, the Data Protection Commission was informed by the HSE that data subjects would be notified both in the media and personally from 20 May 2021. This does not appear to have happened however and may result in a breach by the HSE of Article 34 GDPR. In addition, when people tried to contact the HSE to discuss their concerns over the recent cyber-attack, they received what appeared to be an automatic email in response. The apparent lack of compliance with Article 34 may give rise to claims from individuals seeking damages.

Government officials have agreed to increase their spending on State cyber security following the attack. They propose to kick start this by appointing a head of the National Cyber Security Centre. This position was vacant at the time of the HSE attack, and it has been criticised that the risk of this attack could have been reduced if this position were filled. Hopefully, these efforts by the Government, along with extra diligence from citizens will result in less cases of cybercrime in Ireland in the future.

For further information in relation to this matter, please contact Claire McCormack (Partner) or your usual AMOSS contact.