News & Media

Data Protection Commission announces final decision into Midlands Regional Hospital Tullamore inquiry

15th June 2026

The Data Protection Commission has announced its final decision following an inquiry into a ransomware attack on the laboratory information system in Midlands Regional Hospital Tullamore, County Offaly. The breach was detected on 14 November 2018. The attackers gained access to computers that stored and processed laboratory results of patients’ diagnostic tests, and used that access to encrypt patients’ personal data. 

The DPC’s inquiry examined the HSE’s technical and organisational measures for ensuring the security of processing personal data on the systems that were attacked. It also examined the HSE’s compliance with the GDPR in relation to its contracts with service providers such as third-party data processors, its record of processing activities, and the requirement to notify persons who are affected by high-risk breaches. 

The DPC’s decision, which was notified to the HSE on 11 June 2026, finds that the HSE:

  • infringed the principle of integrity and confidentiality of Article 5(1)(f) GDPR by failing to ensure appropriate security of the personal data related to the processing of patients’ personal data using appropriate technical and organisational measures;
  • infringed Article 28 GDPR by not ensuring that agreements with third parties that processed personal data on its behalf included sufficient safeguards to ensure that processing was fully compliant with the GDPR and that the rights of data subjects were protected;
  • Infringed Article 30 GDPR by failing to have a complete and compliant record of processing activity at the time of the breach;
  • infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data on the systems affected by the ransomware attack; and
  • infringed Article 34 GDPR by its failure to provide to persons affected by the breach all information required by that Article.

 

In light of the infringements identified above, the DPC has:

  • reprimanded the HSE;
  • fined the HSE €300,000 for the infringements of Articles 5(1)(f) and 32(1) GDPR; and
  • ordered the HSE to implement specified policies and procedures intended to ensure appropriate security of processing of personal data.

DPC Deputy Commissioner, Graham Doyle commented: “The HSE estimated that the personal data of approximately 84,000 persons was affected by this breach. While there was no clear evidence that the attackers had exfiltrated clinical data, a forensic report on the breach was not able to exclude the possibility of such action. The sensitive nature of the personal data, and the large number of persons potentially affected therefore, posed risks to the clinical care of patients, and of disclosure and misuse of their personal data.

The DPC acknowledges the considerable improvements made by the HSE in the intervening period of time since the breach, and its commitment to ongoing improvements.”

The DPC will publish the full decision in due course.