HSE secures court orders preventing IT worker distributing data

Niall Bradley allegedly distributed confidential information from HSE computer servers

The information includes patients personal data and medical databases allegedly sent by Mr Bradley to Wikileaks, the non-profit organisation that publishes news leaks provided by anonymous sources. Photograph: iStock
The information includes patients personal data and medical databases allegedly sent by Mr Bradley to Wikileaks, the non-profit organisation that publishes news leaks provided by anonymous sources. Photograph: iStock

The HSE has secured High Court orders preventing an Information Technology worker distributing or communicating highly confidential and sensitive information about hospital patients.

Mr Justice Tony O’Connor also granted orders restraining Niall Bradley, with an address at Carrigeen Hill, Conna, Co Cork, from leaving Ireland until he has complied with the order to deliver up the confidential information and requiring him to hand over his passport to the gardaí, to be retained until further order. It is alleged Mr Bradley, when he was working for a time with a third party contracted by the HSE to perform IT services, distributed confidential information obtained by him from the HSE’s computer servers.

The information includes patients personal data and medical databases allegedly sent by Mr Bradley to Wikileaks, the non-profit organisation that publishes news leaks provided by anonymous sources.

Mr Justice O’Connor said he was satisfied Mr Bradley had gained access to private and sensitive data through his former employment and had threatened to facilitate the dissemination of patients details and private records.

READ MORE

Twitter

The defendant had in a social media post referred to information he obtained, which Mr Bradley knew should be kept secure, as being “stolen”, the judge said.

The HSE initiated proceedings against Mr Bradley following a probe commenced by it after becoming aware, from posts on social media of screenshots of the HSE’s internal servers, of a potentially serious data breach.

The HSE claims the posts appeared on three Twitter accounts which, it claims, were set up and controlled by Mr Bradley. Through those accounts, Mr Bradley allegedly sent messages to a senior official at the HSE and also to Twitter accounts of Taoiseach Leo Varadkar, Ministers Simon Harris and Pascal Donohoe, media figures and Chief Medical Officer Dr Tony Holohan, it is claimed.

In his communications, Mr Bradley made allegations of a “cover-up” and a “scam” by the HSE and said he would make public data from over a dozen Irish hospitals, it is claimed. It is also claimed he used various hashtags on his posts including #covid19 #lockdown ireland #notmytaoiseach #MAGA and #mediascum.

The HSE said, during his previous employment as a systems administrator, Mr Bradley was given access to its servers and patient databases to carry out tasks which his previous employer was contracted to do. That firm’s role was to maintain and service a smart’ automated system, Omnicell, used to dispense, record and manage medication given to patients at various hospitals throughout the state.

Employment terminated

Since becoming aware of the situation, the HSE, in co-operation with Mr Bradley’s previous employer, who terminated his employment after learning of the HSE’s concerns, took steps to secure the servers and prevent the information being published.

The steps include having posts on the pastebin.com site and links to the confidential material removed. The HSE also obtained court orders, including injunctions to prevent him attempting to post more links to confidential information.

The injunctions continue pending the outcome of any full hearing of the matter. The injunctions application was initially heard in private last Friday but the judge later lifted the in camera ruling, allowing the media to report the case. The HSE, represented by Eoin McCullough SC and Joe Jeffers BL, instructed by Philip Lee solicitors, sought orders against Mr Bradley with an address at Carrigeen Hill, Conna, Co Cork.

The court was told Mr Bradley had been informed of the application. He did not attend the court hearings and was not represented. Mr Justice O’Connor, in making the orders, said Mr Bradley would have the chance to advance a defence to the HSE’s claims at a full hearing of the action.

The injunction restrains Mr Bradley and any person to whom he has communicated, or may communicate, the confidential information from destroying, disseminating, publishing, or using any of it through specific twitter handles and email addresses attributed to him.

He must deliver up all documents, records and devices containing the information to the HSE’s solicitors for forensic analysis. The court further restrained Mr Bradley from leaving Ireland until he has complied with the order to deliver up the confidential information. He must hand over his passport to the Garda pending further order.

The HSE’s solicitors got permission to notify the Department of Foreign affairs, An Garda Síochána, authorities at all points of exit from the State about the court’s orders. Mr Justice O’Connor said Mr Bradley had said in another tweet that he had sold his house and was moving about Europe in a camper van to “ply my skills elsewhere.”

The HSE’s lawyers undertook to give the Data Protection Commissioner, Minister for Health and Attorney General copies of the order and the court documents if requested by those parties.