HSE cyber attack: More than 470 legal proceedings issued against health service after ransomware hit

Leak by Conti, the Russia-based crime group, compromised personal data of almost 100,000 staff and patients

More than 470 legal proceedings have been issued against the Health Service Executive (HSE) in relation to a cyber attack that shutdown the health service’s IT systems and compromised the data of thousands of patients and staff three years ago.

Conti, a Russia-based cybercrime group, launched its ransomware attack on the health service on May 14th, 2021. It was the biggest attack on a health system anywhere in the world and led to lengthy delays in patient treatment and compromised the personal data of almost 100,000 staff and patients.

In a statement, a HSE spokeswoman said a total of 473 legal proceedings had been issued against the HSE in relation to the attack. Additionally, there were 140 pre-action letters issued, she said.

There are a number of legal cases before the Courts of Justice of the European Union (CJEU) relevant to the proceedings issued against the HSE. The HSE expects the outcome of the CJEU cases will address a number of legal issues in the proceedings against it.


For this reason a stay, pending the outcome of the relevant CJEU cases, has been agreed or has been sought in the proceedings against the HSE, the spokeswoman said.

The State Claims Agency (SCA), which manages delegated personal injury claims taken against State authorities, said it is managing 12 personal injury claims taken against the HSE arising from the 2021 cyberattack. Legal proceedings have been served in respect of 11 of these claims, the spokesman said.

A report on the attack, conducted by PwC, identified the “frail” nature of the dispersed IT system used by the health service as a key weakness.

There was a “known low level of cybersecurity maturity” within the HSE and the connected national health network, and this weakness had “persisted”, the report said.

Since the attack, the executive has written to “all of the people affected by the cyber attack”, with the total number of affected people standing at 90,936. A total of 1,445 people requested follow up information under Data Subject Access Requests (DSAR).

“The HSE continues to monitor the internet and in particular the Dark Web and to date has not identified any evidence that any data has been shared or used fraudulently following the cyberattack,” the spokeswoman said.

According to the spokeswoman, the HSE has “invested significantly” in cyber remediation since May 2021.

“There are multiple ongoing programmes of work focused on addressing all issues highlighted in the wake of the attack, reducing risk, building cyber resilience, and building additional cyber security capability and capacity through the establishment of a dedicated cyber security function under the leadership of a Chief Information Security Officer (CISO) within the HSE,” she said.

The current estimate as to the total cost of the cyberattack is €102 million. However, a 2022 report by the Comptroller and Auditor General estimated the service will need an additional €657 million over seven years for cybersecurity improvements.

Last week, the Seanad heard senior cybersecurity roles at the HSE have not permanently been filled, and the HSE continues to operate on an “outdated” Windows 7 operating system on some of its devices, despite its vulnerability to attack.

Shauna Bowers

Shauna Bowers

Shauna Bowers is Health Correspondent of The Irish Times