The HSE has been sued more than 400 times in the fall-out from the massive cyberattack which brought its systems to a halt in 2021, but said it will defend those claims “robustly”.
The vast majority of the lawsuits—398 of 404—are linked to GDPR or data protection claims, with the remainder filed as personal injury actions.
The health service was brought to a shuddering halt by the cyberhack in May 2021, carried out by a Russian international criminal organisation, with the vast majority of the HSE’s electronic systems and networks rendered unusable.
In the aftermath, the HSE came in for sustained criticism for the vulnerability of its IT defences, something it was claimed had been raised repeatedly with the organisation in the years preceding the attack.
The number of claims received to date as a result of the attack has not yet finalised as new actions continue to be taken.
In an update for the Public Accounts Committee, the HSE said the nature of the attack on a public body had been “unprecedented”, and that as such “it will defend these claims robustly”.
It said that a lack of case law precedents for the various actions meant an absence of “clearly defined legal principles” by which the HSE’s potential liability and the subsequent quantum of any damages awarded could be assessed, meaning it “is not possible at this stage to estimate the prospective outlay” which may result from that litigation.
Legal questions in terms of liability and damages relating to GDPR in other EU countries have been referred to the Court of Justice of the EU (CJEU), it said, adding that those claims are of direct relevance to the HSE. The HSE said the Irish claims should not be heard before certainty is received from the European court.
“These questions are directly relevant to the claims against the HSE. It is important that the issues in these preliminary references are clarified by the CJEU before the claims against the HSE proceed,” it said, adding that it had applied for a stay on proceedings in one lead case of the 404 lodged at Dublin’s Circuit Court pending the CJEU’s decisions in the European cases.
Such a stay means the proceedings in those cases are effectively paused until the CJEU issues its judgments.
Given that the stay has been granted, the HSE said it would be applying for similar stays in all the other cases, adding that the “majority” of the claimants had agreed, with “correspondence ongoing” in the remainder.
Early this year, the HSE said that about 100,000 notifications were to be delivered to patients whose data had been breached as a result of the attack.
Last month, the revealed that the HSE is to spend €33m centralising and refining its response to cyber security incidents via a number of new public contracts.