Assessing total number of patient data breaches 'likely to take months to fully complete'

A HSE data protection officer has now told a solicitor acting for patients whose data was published that the process of checking for further breaches is far from complete.

In an email sent recently, the HSE said cybersecurity experts analysed thousands of servers “to detect any indicators of compromise”.

“The appropriate notifications will be made to any affected data subjects identified during this process," the HSE stated. 

The process is likely to take some months to fully complete, but any notifications required will not have to wait until the full process is complete.”

Solicitor Michael O’Dowd of O’Dowd Solicitors said he continues to represent a number of individuals whose patient data or that of family members was released by the criminal gang. He said the legal process is ongoing, and the patients he represents had had cancer treatment.

The first case was lodged in mid-July against Mercy University Hospital (MUH) in Cork on behalf of a man.

Minutes of crisis management meetings released under the Freedom of Information Act show the pressures on MUH as it, like all affected sites, struggled to cope with the fallout from the cyberattack.

A meeting on May 24 heard from radiology: “There are between four to five million images which have been corrupted, [he] hopes to get most back but does not know how long this will take nor the recovery success rate … now backed up three weeks in terms of data.”

The radiology department said it was keeping on top of urgent cases, but warned that “clearing the historical backlog is going to be a huge task”.

On May 25, a consultant warned of a “significant risk aspect” arising from incorrect information manually entered into records for blood samples “especially in the first days of the cyberattack”.

The meeting decided to raise at national level risks from cancelling multi-disciplinary meetings about patients whose care requires a number of consultants.

On May 26, the radiology department flagged multiple errors with manually-created patient records, often having no doctor’s name or ward number for the patient.

On May 31, ICT reported it had built five computers over the weekend for one struggling outpatient department.