The HSE has commenced notifying 113,000 patients and staff that their personal information was stolen during the cyber-attack in May of 2021. Patients and staff will be informed that their medical notes, correspondence with patients and lists of people using healthcare services were among the documents stolen. Patients’ treatment histories and details of travel expenses of staff, with some of their financial information included were also stolen.
The HSE have announced that there was no evidence to suggest the stolen documents had been used in a “nefarious way”. The HSE claims that it took “every step to mitigate the impact” of the attack – is expected to receive a number of legal claims from people affected.
It is understood that letters will issue to those affected containing an apology. The letter will also identify what documents were accessed and people can request to view the exact documents that were illegally accessed and copied via a portal on the HSE website.
In terms of your rights, data controllers (such as the HSE) have an obligation to provide for an appropriate level of cyber security. The EU GDPR Directive and Data Protection Act 2018 provide that in assessing the appropriate level of security, data controllers must take account of the risks inherent in the processing. This means that the more sensitive the data, the stronger the security should be. Your health data would be considered as one of the most sensitive and therefore deserving of the highest level of security.
If you have been affected by the HSE Data breach, please call us on 091 564973 or email lhoward@lhsolicitors.ie for advice