The Irish Examiner reports that a cancer patient is taking legal proceedings against Mercy University Hospital in Cork, Ireland.
Not because of negligent treatment, but because some of his personal medical files were published on the dark web after the hospital suffered a ransomware attack earlier this year.
The middle-aged man who is at the centre of the case is choosing to remain anonymous for now, but his solicitor says that he has other clients in a similar situation who he expects to also take legal action:
“My client wants to remain anonymous for now but has consented to his cause being publicised without any identifying information. He recently underwent a long course of treatment for cancer in the Mercy and got the ‘all clear’ just before the data breach. He cannot speak highly enough of the treatment he got in the Mercy, but is understandably worried about the events that unfolded,” said solicitor Micheál O’Dowd.
Back in May, the Irish public healthcare service – known as the HSE – suffered a major ransomware attack, which resulted in its IT systems being shut down across the nation.
As a result many patients’ appointments were cancelled, and doctors reported they could not access electronic records
Not long afterwards it was confirmed that sensitive information related to 520 patients had been published online by the hacking gang, alongside documents related to health service meetings and correspondence.
The Conti criminal gang responsible for the attack initially demanded a $20 million ransom be paid for a decryption key, but then appeared to change its mind – making available the key to unlock the HSE’s data for free.
Despite this, two months after the initial attack, the HSE has still not completely recovered – even though it has drafted in hundreds of members of the armed forces to assist with the clean-up.
Having a decryption key is clearly not always the end of a ransomware victim’s problems – recovery can still be long and complex.
For one thing, knowing how to decrypt encrypted data doesn’t undo the fact that hackers might have also stolen data from your systems and published it online.
And that seems to be the complaint of the unnamed man who is suing Mercy Hospital in Cork. He clearly feels there has been negligence in how well they secured his personal information.
Is he right to take legal action against a hospital which is clearly still battered and bruised by a ransomware attack?
My guess is that most hospitals can probably ill-afford to spend time and money on fighting court cases when they would do better to focus on their cybersecurity.