HSE hit with €300,000 fine over Tullamore hospital patient data breach

The HSE has been fined €300,000 for failing to take "appropriate" security measures in relation to patients' personal data at the Midland Regional Hospital in Tullamore.

The fine was announced this week by the Data Protection Commission (DPC), and follows an inquiry into ransomware attack, detected on November 14, 2018, on the "laboratory information system" at the hospital.

The HSE told the commission that the data breach affected the personal data of an estimated 84,000 patients of the hospital in Tullamore.

The DPC said ransomware attackers "gained access to computers that stored and processed laboratory results of patients’ diagnostic tests," and that they had "used that access to encrypt patients' personal data".

As part of its inquiry, the commission examined the HSE's "technical and organisational measures" for ensuring the security of processing personal data on the systems that were attacked.

It also examined the HSE's compliance with the General Data Protection Regulation (GDPR) in relation to contracts with service providers, its record of processing activities, and "the requirement to notify persons who are affected by high-risk breaches".

The commission said this week that it had informed the HSE on Thursday last, June 11, that it was being "reprimanded" and fined €300,000 for a number of GDPR infringements.

These included "failing to ensure appropriate security of the personal data related to the processing of patients’ personal data," and "not ensuring that agreements with third parties that processed personal data on its behalf included sufficient safeguards to ensure that... the rights of data subjects were protected".

The HSE also failed to "have a complete and compliant record of processing activity at the time of the breach," the commission found.

Commenting on the findings, DPC Deputy Commissioner Graham Doyle said the sensitive nature of the data, and the large number of patients potentially affectd, "posed risks" to their clinical care.

"The HSE estimated that the personal data of approximately 84,000 persons was affected by this breach," Mr Doyle stated.

"While there was no clear evidence that the attackers had exfiltrated clinical data, a forensic report on the breach was not able to exclude the possibility of such action.

"The sensitive nature of the personal data, and the large number of persons potentially affected therefore, posed risks to the clinical care of patients, and of disclosure and misuse of their personal data."

He added that the commission acknowledged "the considerable improvements" made by the HSE since the 2018 breach, along with "its commitment to ongoing improvements".

The DPC is due to publish its full decision in the case "in due course".

When contacted by this newspaper, the HSE issued a statement in which it said it accepted the commission's findings. It described the ransomware attack as "an isolated incident which was prevented from spreading any further than the lab system at Midlands Regional Hospital".

It added: "There was no adverse clinical impact as clinicians could revert to a paper-based record system.

"In 2018 we took immediate action implementing measures to harmonise and standardise the standalone system, by integrating it into the wider HSE infrastructure.

"The HSE has and continues to invest significantly in its cyber capability," the statement added, saying there were "multiple ongoing programmes of work focused on reducing risk, building cyber resilience, and building additional cyber security capability".

The HSE's statement concluded that it "takes all breaches of data protection seriously and manages all breaches of data protection in line with data protection legislation and HSE policy.

"The HSE has cooperated fully with the DPC inquiry, while implementing measures to reduce the risk of this happening again," it said.