Up to 100 cases taken over HSE cyberattack, judge told

European court to decide key liability issues over data breach but question mark hangs over HSE liability for ‘non-material’ damage such as stress

At Dublin Circuit Court, Judge John O’Connor imposed a stay preventing one claim against the HSE from proceeding here until the CJEU decides nine cases referred to it by EU member states concerning liability and damages for cyber attacks. Photograph: iStock
At Dublin Circuit Court, Judge John O’Connor imposed a stay preventing one claim against the HSE from proceeding here until the CJEU decides nine cases referred to it by EU member states concerning liability and damages for cyber attacks. Photograph: iStock

Up to 100 people whose personal data was accessed during a major ransomware cyberattack on the Health Service Executive’s information technology systems are suing for damages.

The personal data of some 100,000 people was accessed during the 2021 cyberattack but a question mark hangs over whether the HSE is liable under the General Data Protection Regulation (GDPR) to pay compensation for alleged “non-material” damage such as stress resulting from a hacking incident.

This week at Dublin Circuit Court, Judge John O’Connor imposed a stay preventing one claim against the HSE from proceeding here until the Court of Justice of the European Union (CJEU) decides nine cases referred to it by EU member states concerning liability and damages for such attacks.

Up to 100 similar cases have been taken, the judge was told. All are expected to remain on hold pending the CJEU decision.

READ MORE

Eoin McCullough SC, with barrister Claire Hogan, for the HSE, sought the stay on an action by a man who is among up to 100,000 others informed by the HSE that their personal data had been accessed during the cyberattack. The man’s data comprises his name, date of birth, phone number and patient number.

Barrister William McLoughlin, for the man, opposed the stay application.

The judge concluded he should grant a stay pending the CJEU determination of nine preliminary references which involve interpreting article 82 of the GDPR in relation to liability for hacking incidents and compensation for “non-material” damage.

A 2022 preliminary opinion from an advocate general of the CJEU in one of the referrals took the view compensation for non-material damage does not cover mere upset an affected person may feel as a result of infringement of the GDPR. The advocate general was of the opinion that national courts of member states should determine whether a subjective feeling of displeasure amounts to non-material damage.

In the action now stayed, the plaintiff claims the HSE, as a data controller processing his personal data, breached the GDPR in how his personal data was processed and that his personal data was accessed due to negligence of the HSE. He wants compensation for non-material damage including alleged inconvenience, annoyance, loss and exposing him to a risk of identity theft and fraud.

In granting the stay, the judge relied on his judgment last January on a separate case by another man against three companies, Parcel Connect Ltd, A & G Couriers Ltd and Napier Couriers Ltd, all trading as Fastway Couriers Ireland.

The plaintiff in that case alleges the defendant firms, or at least one of them, had a data breach incident in February 2021 in which it appeared personal data of more than 450,000 people was compromised.

The plaintiff claims his personal data – name, address, email address and mobile number – was accessed, causing him non-material damage in interfering with his peace and privacy and causing apprehension about the use to which his personal data had been put. He claims he has been contacted by unknown third parties and has lost control over his personal data.

The man’s lawyers opposed Fastway’s application for a stay on the proceedings pending the CJEU determining the referrals.

Granting that stay, the judge noted the plaintiff’s solicitor was acting for 22 clients in proceedings against Fastway arising from the alleged data breach and other solicitors may have “multiple” clients who have issued similar proceedings.

Article 82 of the GDPR confers a right to compensation on a person who has suffered material or non-material damage as a result of an infringement of the GDPR and the correct interpretation of article 82 is subject of preliminary references to the CJEU, he noted.

Those concern the meaning of material or non-material damage and whether some degree of “fault” is required to impose liability under article 82, particularly in the context of a hacking incident by a third party, he said. The case should be stayed pending the CJEU decision, he ruled.

Mary Carolan

Mary Carolan

Mary Carolan is the Legal Affairs Correspondent of the Irish Times