Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

At the outset, it is important to note that there is no evidence that any personal data has been shared or used fraudulently since the criminally motivated cyber-attack in May 2021 (other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web). The HSE began a secure process on the 29th November to contact people whose information was illegally accessed and copied during the 2021 cyber-attack on HSE systems. This follows a lengthy and detailed process whereby files were subjected to extensive examination and verification to determine whether they had been affected to and confirm who they belonged to. To date, the HSE has notified almost 52,000 individuals of a total number of 100,000 people whose personal information was affected by the cyber-attack and this process is estimated to take 16-weeks from start to finish. TUSLA has commenced its notification process relating to 20,000 people whose personal information was affected by the cyber-attack. Children’s Health Ireland (CHI) has also commenced notification that includes approximately 2,200 people.

The HSE has taken a number of actions and mitigations since the criminally motivated cyber-attack that includes the following:

- HSE cyber security experts have been monitoring the internet including the dark web since the cyber-attack and have seen no evidence at this point that the illegally accessed and copied data has been used for any criminal purposes or been published online (other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web).

- The HSE obtained a High Court order on 20th May 2021 restraining any sharing, processing, selling, or publishing of data illegally accessed and copied from our computer systems. This remains in place to prevent anyone using any of the illegally accessed and copied information.

- HSE cyber security experts are continuing to monitor the internet and the dark web for illegally accessed information and the HSE will act immediately if they see any evidence of this.

Since the cyber-attack the HSE has:

- further strengthened IT and cyber security defences

- increased their staff training and awareness about cyber security

- implemented controls to monitor and manage threats to the HSE network and further strengthened identity and access management processes and controls.

- worked with international and national cyber security experts to protect against future attacks

While the GDPR Act 2018 set out the rights of individuals in the event of a data breach, it is important to note the strong measures and mitigation actions taken by the HSE since the criminal attack and also that there is no evidence that any personal data has been shared or used fraudulently since 2021 (other than a small amount of data which was referred to in an article in May 2021 by the Financial Times and subsequently removed from the web).

It is also acknowledged that the Court of Justice of the European Union (the CJEU) is considering questions referred to the CJEU in a number of cases relating to the infringement of the GDPR including as a result of a ransom attack and we now await to see the outcome of these cases.