The Health Service Executive (HSE) is offering €750 in compensation to victims of a cyberattack that shutdown the health service’s IT systems and compromised the data of thousands of patients and staff four years ago.
Conti, a Russia-based cybercrime group, launched its ransomware attack on the health service on May 14th, 2021.
O’Dowd Solicitors, a Cork-based firm representing more than 100 people affected by the HSE data breach, received the cash offer from the HSE on Friday. The offer included an additional sum of €650 per person for legal costs.
The letter from the Cork firm to affected patients described the offer as a “significant development”, adding that it is “the first time in public (or private that I know of) the HSE have acknowledged that they will need to compensate individuals impacted by the breach”.
The 2021 attack was the biggest on a health system anywhere in the world and led to lengthy delays in patient treatment and compromised the personal data of almost 100,000 staff and patients.
The offer from the HSE comes after a recent high-profile case affirming damages to victims of data breaches.
In a statement, a spokeswoman for the HSE said that, as of last month, there were about 620 legal proceedings issued against the HSE “arising from the criminally motivated cyberattack in May 2021″.
“The HSE is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly. These legal matters between the HSE and effected individuals are confidential,” the statement said.
[ HSE cyber attack: More than 470 legal proceedings issued against health service after ransomware hitOpens in new window ]
According to the HSE, it has “invested significantly” in cyber capability since the attack.
“There are multiple ongoing programmes of work focused on addressing all issues highlighted in the wake of the attack,” it added.
“The HSE manages and responds to thousands of cyber threats annually and takes appropriate action to identify and develop responses to cyber risks and ensure awareness of current threats. The HSE continues to invest significantly in multi-layered cyber defences.”
A 2021 PwC report into the HSE cyberattack identified the “frail” nature of the dispersed IT system used by the health service as a key weakness that led to the incident, with the opening of a malicious file attached to a phishing email being identified as the cause.
