One of the first legal cases over the release of sensitive medical information on the dark web as part of the HSE cyber hack has been lodged at Cork Circuit Court.
The case was lodged on Monday against Mercy University Hospital (MUH) by a Cork solicitor acting on behalf of a middle-aged family man who received treatment there for cancer.
Glanmire-based solicitor Micheál O’Dowd said some, but not all, information relating to the man’s medical files had been put up on the dark web and he had other clients in a similar situation for whom he expects to lodge legal proceedings as well.
All of the cases relate to people getting cancer treatment.
“My client wants to remain anonymous for now but has consented to his cause being publicised without any identifying information. He recently underwent a long course of treatment for cancer in the Mercy and got the ‘all clear’ just before the data breach. He cannot speak highly enough of the treatment he got in the Mercy, but is understandably worried about the events that unfolded,” Mr O’Dowd said.
“The proceedings have been served. The next step along the way will be to seek further details of the ‘hack’ through the discovery process in the courts,” he added.
A spokesperson for MUH said the hospital cannot comment in advance of legal proceedings.
On May 14, the HSE became aware of a significant ransomware attack on some of its systems, resulting in more than 85,000 computers being shut down in an attempt to contain the attack.
The Conti cyber-crime group’s ransomware attack compromised the HSE’s entire system, resulting in knock-on effects on services, equipment, and access to patient records.
The gang sought a ransom of $20m to be paid in bitcoin, but the HSE and Government said they refused to pay.
Later that month, data stolen in the attack – including sensitive patient information, minutes of meetings, and correspondence with patients – appeared on the dark web.
In a statement on its website, the HSE said action was being taken to assist the people affected by this.
“There is no evidence that large amounts of patient or staff data has been published online or sold to criminals involved in fraud,” the HSE added.
The HSE and the Mercy Hospital both secured High Court injunctions to stop personal and medical information that may have been stolen in this cyber attack from being shared, sold or published online.
HSE chief executive Paul Reid said recently that the cost of the attack could rise to €500,000m due to the significant capital costs in replacing infected devices.
He added there would also be human costs as well, as it will take months before systems are fully restored.
By the end of June, 75% of its servers had been decrypted, with the focus being on those systems “most critical to patient care in the first instance”, Mr Reid added.