The Irish Data Protection Commission has fined the Health Service Executive €300,000 after a ransomware attack on the laboratory information system at Midlands Regional Hospital Tullamore. The DPC notice, published on 15 June 2026, says the breach was detected on 14 November 2018 and affected systems used to store and process patients’ diagnostic-test results.
The important point for healthcare leaders is where the DPC found fault. This was not framed only as a technical ransomware incident. The regulator also examined processor contracts, records of processing, security measures and breach communications. After a cyber incident, those governance records become part of the evidence.
What the DPC found
The DPC notice says attackers gained access to computers holding laboratory results and used that access to encrypt patients’ personal data. The HSE estimated that personal data relating to about 84,000 people was affected. The DPC also said there was no clear evidence that clinical data had been exfiltrated, but the forensic report could not rule it out.
The decision was notified to the HSE on 11 June 2026. The DPC found infringements of GDPR Article 5, Article 28, Article 30, Article 32 and Article 34. It reprimanded the HSE, imposed a €300,000 fine for the Article 5(1)(f) and Article 32(1) infringements, and ordered specified security policies and procedures. The full decision has not yet been published.
Why ransomware turns into a GDPR enforcement case
Ransomware creates two linked risks. The first is availability: systems stop working, appointments are disrupted and staff lose access to records. The second is data protection: personal data is accessed, encrypted, copied or exposed. Healthcare data makes that second risk sharper because clinical information can affect patient care and can be misused outside the hospital.
GDPR Article 32 requires security measures appropriate to the risk. In a hospital environment, that means the controller needs evidence that clinical systems, supplier access, user permissions, backups and incident response are managed as a live system. A policy folder is not enough if the organisation cannot show how the controls work on the affected system.
The HSE finding also links to recent UK enforcement. The ICO fined Advanced Computer Software Group £3.07 million after a 2022 ransomware incident affected NHS systems. Our write-up on the Advanced fine covers the supplier-security angle for NHS and health-sector organisations.
The processor contract point matters
The DPC found an Article 28 infringement because the HSE had not ensured that agreements with third parties processing personal data on its behalf included sufficient safeguards. That is a practical supplier-management failure, not a paperwork footnote.
For healthcare and public-sector teams, the contract file should answer basic questions before an incident happens: who hosts the system, who can access it, what security duties sit with each supplier, what logs are kept, how quickly incidents are reported, and how the controller can audit or challenge the supplier’s controls. If the agreement does not answer those questions, the data-protection team has a gap to close.
Records of processing are incident evidence
The DPC also found that the HSE did not have a complete and compliant record of processing activity at the time of the breach. Article 30 records are often treated as a compliance inventory. In an incident, they become an operational map.
A useful record should identify the system, the categories of personal data, the data subjects affected, recipients, processors, retention rules and security measures. When an attacker has encrypted a clinical system, that record helps the organisation work out who is affected, which duties apply and what has to be said to patients.
Breach communications cannot be improvised
The Article 34 finding is also significant. The DPC found that the HSE failed to provide affected people with all information required by that Article. GDPR Article 34 applies where a personal data breach is likely to result in a high risk to people’s rights and freedoms. The communication must describe the nature of the breach, name a contact point, explain likely consequences and describe measures taken or proposed.
That is hard to do well if the first draft is written during a live incident. Healthcare organisations should have breach templates ready, but the template must leave room for the facts: affected system, data types, practical risk, patient steps, contact route and what the organisation is doing next.
Controls managers should check this week
- List every clinical or laboratory system that processes patient data, then name the system owner and supplier owner.
- Check whether each processor agreement includes Article 28 safeguards, security duties, incident notice timing and audit rights.
- Review the Article 30 record for each high-risk system against the live system, not last year’s procurement notes.
- Confirm who can access diagnostic-test systems, including supplier and administrator accounts.
- Test whether backups for clinical systems are separate enough to recover after ransomware.
- Keep a breach communication template that covers the Article 34 information requirements.
- Train managers who own systems to recognise when supplier, security and patient-notification issues need the data-protection lead.
The staff-training point matters because several recent healthcare breach stories have shown the same operational problem: a breach is noticed somewhere in the organisation before the governance response catches up. Our analysis of NHS breach controls looks at why managers need clear escalation routes alongside disciplinary policies.
What to do next
Use the HSE decision as a table-top exercise. Pick one high-risk healthcare or employee-data system. Ask your IT, supplier-management and data-protection leads to prove four things: the security controls are proportionate, the supplier contract is complete, the Article 30 record is current, and the breach communication route is ready.
If those answers are vague, fix the control before the incident. For wider staff awareness, Measured Collective’s data privacy courses help teams understand why security, contracts, records and breach reporting sit together under data protection law.
FAQ
How much did the DPC fine the HSE?
The DPC fined the HSE €300,000 for infringements of GDPR Article 5(1)(f) and Article 32(1). It also reprimanded the HSE and ordered specified security policies and procedures.
How many people were affected?
The HSE estimated that personal data relating to approximately 84,000 people was affected. The DPC said the affected data related to patients’ diagnostic-test laboratory results.
Was clinical data stolen?
The DPC said there was no clear evidence that attackers had exfiltrated clinical data. It also said the forensic report could not exclude that possibility.
What is the main lesson for healthcare organisations?
Ransomware readiness has to include data-protection governance. Security controls, supplier contracts, processing records and breach communications all need to be current before an incident.
