The cyber attack suffered by the Irish health service could see the HSE fined €1m for GDPR failings – the maximum amount allowable under Irish law.

The Data Protection Commission has confirmed it received notice of the massive breach from the HSE within 72 hours of it occurring, as required by law.

While the DPC will not officially make a decision as to whether or not to initiate an inquiry before the end of next week at the earliest, an investigation is inevitable given the extent to which the HSE’s technology and systems have been compromised.

Under Article 32 of the GDPR, controllers have a responsibility to encrypt and preserve personal data as confidential, and must have the “ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

The HSE has acknowledged it is likely to be some weeks before its systems are fully restored.

“Given how outdated the HSE’s systems are, this whole situation is an opportunity for them to get their house properly in order,” a senior privacy source said.

Daragh O’Brien, managing director with Wexford-based data consultants Castlebridge, said he believed the HSE breach may see the DPC utilise the full extent of its fining powers on a State body for the first time.

“Even the most benign parent will eventually lose their patience,” he said of the DPC’s tolerance for State bodies’ intransigence on GDPR compliance.

He said the context is a decision by the Data Protection Commissioner Helen Dixon last month to fine the Irish Credit Bureau €90,000 for a 2018 data breach which saw 1,062 incorrect account records disclosed to financial institutions. It was at the time the largest individual fine applied to an Irish company under GDPR.

That figure had been reduced from €220,000 due to mitigating circumstances – specifically the speed with which the ICB had rectified the errors in its own records.

However, such mitigation does not appear to be available to the HSE, both due to the ongoing nature of the crisis, and the fact that personal data may have been stolen by the cyberattackers.

“The Credit Bureau involved 15,000 records, affected 1,000 people and saw a fine of €220,000, and it wasn’t a ransomware attack. The failings of the HSE are at the very least five times as bad as that,” Mr O’Brien said.


Written by Cianan Brennan, Irish Examiner