HSE defends its record on cybersecurity 

The State could face hundreds of millions in legal claims from victims if the HSE is found to have failed to adequately protect patients' data from the cyber hack.

Should the HSE’s security defences be found to have been lower than the required standard, people and companies who have had their data compromised can sue in the courts under GDPR.

Individual civil legal claims by people whose data has been compromised could total in excess of €15,000 in each instance, according to Daragh O’Brien, managing director with Castlebridge, a data consultancy.

Speaking today, Mr Donnelly said he has already seen some law firms advertising potential damage suits, and "potentially licking their lips at the thought of being able to sue the State". 

“I find it very distasteful — we have been attacked as a nation, our patients and the HSE have been attacked," he told Newstalk.

“There are serious GDP laws in place which, obviously, we comply with. We saw the same with the vaccine programme. We had online materials being published by law firms talking about future law cases that patients would be able to take against the State.

"If there are cases that can be taken then people have a right to take those cases, but certainly I find that when we are in the middle of trying to get urgent health care services back up and running for sick patients, I find it very distasteful that any law firm would be putting stuff up on their websites to that end."

The director-general of the HSE has, meanwhile, defended the HSE's record on cybersecurity, calling the ransomware attack a "vicious and callous act". 

Paul Reid said that it was far too early to assess if weaknesses identified in the system some years ago had been the cause for the attack. No direct link had been identified, he said.

The weaknesses in question had been identified by an internal audit, he said and if they had not been identified that would have been an even more significant failing. As a result of the identification of the weaknesses, actions had been taken.

The approach adopted by the HSE had been to invest in new systems, such as the Covid testing system and the vaccination programme, both of which were new and separate and therefore had not been impacted by the cyberattack, he added.

While he could not validate reports that patient data was being revealed, Mr Reid said there was a strong likelihood that had happened. What he did know was that a significant proportion of data had been encrypted and was backed up.

The HSE focus now was on restoring services while the NCSC and the gardaí were carrying out an investigation into what happened. 

Mr Reid acknowledged that the attack on the HSE would have a knock-on effect on other government departments such as Social Protection and that emergency departments were having to use “pens and paper”. It was unfortunate that such a process was required, but slow progress was being made.

When asked if the ransom would be paid, Mr Reid said that it was not Government policy and was a separate process from the HSE.