Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.
The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network.
The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service.
Hundreds of Legal Proceedings Underway Following the HSE Cyberattack
As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”
According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.
The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.
As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”
In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period.
Cybersecurity Overhaul Following the Conti Attack
Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE.
The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.
The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms.