[BreachExchange] Cancer patient to sue Cork's Mercy Hospital over cyber hack

[Sophia Kingsbury]

https://www.irishexaminer.com/news/munster/arid-40337252.html

One of the first legal cases over the release of sensitive medical
information on the dark web as part of the HSE cyber hack has been lodged
at Cork Circuit Court.

The case was lodged on Monday against Mercy University Hospital (MUH) by a
Cork solicitor acting on behalf of a middle-aged family man who received
treatment there for cancer.

Glanmire-based solicitor Micheál O'Dowd said some, but not all, information
relating to the man's medical files had been put up on the dark web and he
had other clients in a similar situation for whom he expects to lodge legal
proceedings as well.

All of the cases relate to people getting cancer treatment.

“My client wants to remain anonymous for now but has consented to his cause
being publicised without any identifying information. He recently underwent
a long course of treatment for cancer in the Mercy and got the 'all clear'
just before the data breach. He cannot speak highly enough of the treatment
he got in the Mercy, but is understandably worried about the events that
unfolded,” Mr O'Dowd said.

“The proceedings have been served. The next step along the way will be to
seek further details of the 'hack' through the discovery process in the
courts,” he added.

A spokesperson for MUH said the hospital cannot comment in advance of legal
proceedings.

On May 14, the HSE became aware of a significant ransomware attack on some
of its systems, resulting in more than 85,000 computers being shut down in
an attempt to contain the attack.

The Conti cyber-crime group’s ransomware attack compromised the HSE’s
entire system, resulting in knock-on effects on services, equipment, and
access to patient records.

Ransom of $20m

The gang sought a ransom of $20m to be paid in bitcoin, but the HSE and
Government said they refused to pay.

Later that month, data stolen in the attack – including sensitive patient
information, minutes of meetings, and correspondence with patients –
appeared on the dark web.

In a statement on its website, the HSE said action was being taken to
assist the people affected by this.

“There is no evidence that large amounts of patient or staff data has been
published online or sold to criminals involved in fraud,” the HSE added.

The HSE and the Mercy Hospital both secured High Court injunctions to stop
personal and medical information that may have been stolen in this cyber
attack from being shared, sold or published online.

HSE chief executive Paul Reid said recently that the cost of the attack
could rise to €500,000m due to the significant capital costs in replacing
infected devices.

He added there would also be human costs as well, as it will take months
before systems are fully restored.

By the end of June, 75% of its servers had been decrypted, with the focus
being on those systems “most critical to patient care in the first
instance”, Mr Reid added.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210715/17dba95f/attachment.html>