HSE Fined €300,000 by DPC Over 2018 Midland Hospital Data Breach

The Health Service Executive (HSE) has been fined €300,000 by the Data Protection Commission (DPC) for a data breach at the Midland Regional Hospital, Tullamore, detected in November 2018.

The breach, caused by a ransomware attack on the laboratory information system, affected the personal data of approximately 84,000 people. Attackers encrypted patients’ diagnostic test results, posing risks to clinical care and potential misuse of data, although no clear evidence of data exfiltration was found.

The DPC investigation identified multiple General Data Protection Regulation (GDPR) infringements by the HSE, including inadequate technical and organisational security measures, insufficient safeguards in third-party agreements, and failure to inform affected individuals properly. In addition to the fine, the HSE was ordered to implement new data security policies and procedures.