Cork-based medical supplies company denies it held HSE to ransom over patient data

A Cork-based medical supplies company has strongly denied that it held the HSE to ransom by seeking over €145,000 to “maintain the integrity” of sensitive patient data and threatening to sell it, a claim made by the executive in its High Court action against the firm.

Myles Murray, chief executive of PMD Device Solutions Ltd, told Mr Justice Brian Cregan today that the data in question was not the company’s to sell, and that he or the company never threatened to do so in its dealings with the HSE. 

He said the company was “managing” the patient data in question on behalf of the HSE, and it was not the company’s asset.

PMD, a subsidiary of Swedish company PMD Devices Solutions AB, previously held several contracts with the HSE to provide respiratory monitoring services – including providing respiratory rate sensors for use in hospitals across the State, and storage of patient data, according to court filing.

Those contracts were terminated in December 2024, and the company is now facing liquidation, the court heard.

In its action against the company, the HSE claims that PMD – following the termination of the contracts – sought a payment of €145,000 (excluding Vat) to “maintain the integrity” of the patient data it holds, “in circumstances where the [company] is under a duty to keep the data secure, and to return or delete it upon the termination of certain contracts”.

The HSE says that Mr Murray wrote in a January 13 email that third parties “will be able to begin bidding and purchasing” on the company’s assets “within 12 days”, after which the company “will have no ability to stand over the integrity of the data”.

The HSE says that this amounted to an “outrageous attempt” to hold it to ransom.

Mr Murray said that, following the HSE’s request for transfer and deletion of the patient data, PMD sought the money to pay for external certification of the data’s deletion from the company’s servers, as required. “The data was never ours to sell,” he said, adding that the company never threatened to do so.

In its case, the HSE says that PMD has “no contractual entitlement to payment in return for compliance with its obligations to return or delete the [HSE’s] data, and to maintain its integrity”.

Mr Justice Cregan said that this was an issue that the parties may have to deal with between themselves, noting that the HSE “may take a view on that”, given the company is on the brink of liquidation.

Mr Murray said that the company has been “proactive” in seeking to engage with the HSE. When noted by the judge that the company did not respond to a pre-litigation letter from the HSE, Mr Murray said that he had communicated a response to solicitors acting for the company in another action. The HSE did not receive this response, the court heard.

The judge allowed Mr Murray to address the court, despite his not being allowed under law to represent the company – only a solicitor or barrister can do this, he noted. Mr Murray said the company did not have funds to pay for legal representation.

Repeating orders he made last week, Mr Justice Cregan directed that PMD be restrained from selling, transferring or providing access to the patient data to any third party outside of the HSE, whether as part of a sale of assets or under any other arrangement. He also directed that the business preserve and maintain the data.

He also ordered that the company provide a list of “servers, clouds or other storage areas” where HSE patient data is held; the company grant access to HSE to the data; and that it transfer the data to the HSE, and following that, delete said data, subject to the HSE’s consent.