Ireland's DPC Fines HSE €300,000 Over 2018 Ransomware Attack on Hospital Lab System That Encrypted 84,000 Patient Records

Ireland's Data Protection Commission has fined the Health Service Executive €300,000 following an inquiry into a ransomware attack on the laboratory information system at Midland Regional Hospital Tullamore, Co. Offaly - an attack that occurred in November 2018 and exposed the diagnostic data of approximately 84,000 patients.

The DPC notified the HSE of its final decision on June 11, 2026. The inquiry examined the HSE's technical and organisational security measures, its contracts with third-party data processors, its record of processing activities, and its compliance with breach notification requirements under the GDPR.

The Attack

The breach was detected on November 14, 2018. Attackers gained access to computers storing and processing laboratory results - diagnostic test data for patients attending the Midlands Regional Hospital - and encrypted that data. The attack was contained to the standalone lab system and did not spread further into HSE infrastructure. Clinicians were able to revert to paper-based records, and the HSE said there was no adverse clinical impact on patient care.

A forensic investigation was conducted, but it could not rule out the possibility that attackers had exfiltrated clinical data before encrypting it. No clear evidence of exfiltration was found, but the possibility was never excluded - leaving 84,000 patients without a definitive answer on whether their diagnostic records left the building.

What the DPC Found

The DPC's inquiry identified a number of GDPR infringements. The HSE had failed to ensure that its contracts with third-party data processors included sufficient safeguards to protect personal data and the rights of data subjects. It had also failed to provide all required information to individuals affected by the breach - meaning patients were not fully informed about what happened to their data or what risks they faced.

DPC Deputy Commissioner Graham Doyle said: "The sensitive nature of the personal data, and the large number of persons potentially affected, posed risks to the clinical care of patients, and of disclosure and misuse of their personal data."

In addition to the €300,000 fine, the DPC ordered the HSE to implement specified policies and procedures to ensure appropriate security of personal data processing going forward. The HSE has accepted the findings.

Eight Years

The gap between the breach and the final regulatory decision is significant in its own right. The attack happened in November 2018. The DPC's decision landed in June 2026. The 84,000 patients whose diagnostic data was encrypted - and potentially exfiltrated - waited nearly eight years for a regulatory conclusion. The fine represents approximately €3.57 per affected patient.

The DPC acknowledged the HSE has made considerable improvements in the intervening period, including integrating the previously standalone lab system into wider HSE infrastructure and investing in its broader cyber capability. That context matters - but it does not change the fact that healthcare data, including diagnostic test results, sat in an isolated system with insufficient third-party processor agreements and inadequate breach notification processes at the time of the attack.

The Bigger Picture

The Tullamore case is a reminder that healthcare ransomware incidents carry a long tail. The immediate clinical impact here was contained - paper records absorbed the disruption and no patients were directly harmed by the system outage. But diagnostic data is among the most sensitive categories of personal information: it can reveal chronic conditions, infectious disease status, and clinical history that patients may not have disclosed elsewhere. The inability to definitively rule out exfiltration after eight years is the part of this case that should sit uncomfortably with any organisation holding clinical data.

The structural failures the DPC identified - weak third-party processor agreements, incomplete breach notification - remain among the most common findings in healthcare data protection inquiries across Europe. Organisations running laboratory systems, diagnostic platforms, or any clinical data infrastructure on standalone or partially-integrated systems should treat this case as a direct prompt to audit their processor contracts and breach response procedures now, rather than after an incident forces the question.