The Health Service Executive (HSE) has been fined €300,000 by the Data Protection Commission (DPC) following a significant data breach at the Midland Regional Hospital in Tullamore linked to a ransomware attack on its laboratory systems.
The breach, first detected in November 2018, affected the laboratory information system used to store and process patients’ diagnostic test results. Investigators estimated that the personal data of approximately 84,000 individuals may have been impacted when attackers gained access to hospital computers and encrypted sensitive information.
The DPC launched a formal investigation into the incident, focusing on the adequacy of the HSE’s technical and organisational safeguards designed to protect personal data. The inquiry examined whether appropriate security measures were in place at the time of the cyberattack and how the organisation managed data protection obligations under the General Data Protection Regulation (GDPR).
According to the findings, several GDPR breaches were identified. While investigators noted that there was no definitive evidence that the attackers extracted clinical data, a forensic review could not rule out the possibility that sensitive information may have been accessed or copied during the intrusion.
DPC Deputy Commissioner Graham Doyle said the scale and nature of the data involved raised serious concerns. He highlighted that the sensitivity of the medical information, combined with the large number of individuals affected, created potential risks not only to patient privacy but also to the integrity of clinical care.
The investigation also found that the HSE failed to ensure adequate contractual safeguards were in place with third-party service providers responsible for processing personal data on its behalf. In addition, the regulator determined that the HSE did not provide sufficient information to individuals whose data may have been compromised, as required under data protection law.
While imposing the financial penalty, the DPC acknowledged that the HSE has since made substantial improvements to its cybersecurity and data protection practices. Mr Doyle noted that the organisation has demonstrated a commitment to strengthening its systems in the years following the breach.
Alongside the €300,000 fine, the HSE has been ordered to implement a series of corrective measures. These include updated policies and procedures aimed at improving the security of personal data processing and ensuring compliance with GDPR requirements going forward.
The HSE has been contacted for comment regarding the decision.
