Jack Horgan-Jones reports:
More than 100,000 people who had their personal data stolen during the HSE cyberattack last year will begin being contacted by the service in the coming weeks, The Irish Times has learned.
The health service is expected to start contacting people this month, opening the way to further controversy surrounding the attack, and the risk of litigation arising from it.
Read more at The Irish Times.
That is a long gap between breach and notification. Was all the public news coverage about the breach last year enough to alert people that their data had possibly been accessed, acquired, and leaked? Did any fraud or other harms occur between then and now that might have been avoided with earlier individualized notification? The HSE told Irish Times that it has “been monitoring the internet, including the dark web since the cyberattack, and has seen no evidence at this point that the illegally accessed and copied data has been published online or used for any criminal purposes” But what about the harms that may have occurred due to delayed or canceled care appointments or lack of access to records?
The Conti attack was one of the worst ever in terms of impact on the medical sector. The HSE reportedly had poor defenses in place before the attack that began in May 2021 and equally poor plans for responses or mitigation.
Would any litigation now or regulator penalties merely take away more funds or resources from hardening their security and leave them more vulnerable to more attacks? How will this all work out down the road?