HSE awarded €2 million ransomware ‘independent review’ contract without tender

The HSE awarded a longtime partner a €2 million contract without tender for an “independent review” into this summer’s ransomware attack, according to records released to The Ditch.

The lucrative contract was awarded to PwC in June, some six weeks after the 14 May attack that led to a complete shutdown of HSE IT systems and forced some hospitals to rely on patients’ paper records. It was awarded despite one HSE executive questioning whether it was lawful to do so without an open tender process.

The only published notice of the deal quotes its initial €250,000 fee. With total costs expected to exceed €2 million, Sinn Féin Finance Committee member Mairéad Farrell has said this is “a fairly unanswerable case that there needs to be a review of direct award contracts”.

In 21 June correspondence to the HSE, PwC partner Ciarán Kelly confirmed an initial fee of €250,000 plus VAT for a four-week “scoping phase” of the review into the ransomware attack.

HSE director of sourcing Brendan White in a 24 June email to head of procurement John Swords admitted that though he thought the contract was a done deal, he wasn’t sure whether it could be legally awarded without a tender. “This agreement appears to be a fait accompli… it is not possible for me to confirm that this award of contract is lawfully made under Article 32,” he wrote.

White was referring to article 32 of the 2014 EU procurement directive, which permits public authorities to award contracts without putting them to tender “for reasons of extreme urgency” brought about by “unforeseeable” events.

The HSE consulted Philip Lee solicitors on whether article 32 could be invoked. The solicitors confirmed “the extreme urgency of the task being indicated”, wrote Swords in a 9 July mail to HSE chief strategy officer Dean Sullivan: “Therefore article 32 applies,” Swords concluded.

Swords also wrote that “the figure of €2 million is an estimate at this point in the agreement. Firming up of the figure will be established in the coming weeks when the scope of phase 2 is fully complete”.

A 7 July contract award notice refers only to the initial outlay of €250,000. A separate notice published on 14 June shows that PwC was paid €114,897, again without an open tender, for “technical computer support services” relating to the same ransomware attack.

The HSE in 2016 awarded PwC a €12.6 million consultancy services contract, which ended in June this year. Public Accounts Committee chair Seán Fleming in April 2019 accused the consultancy firm of a "gross conflict of interest" for advising the HSE on the National Children's Hospital, just two months before it was paid almost €500,000 to conduct a review of budget overruns at the project.

Sinn Féin’s Mairéad Farrell said Ireland’s procurement regime “is in need of radical reform”.

“I have already asked minister McGrath would he be reviewing the use of the negotiated procedure without prior publication (i.e. direct award) but have not as of yet received a fully comprehensive and satisfactory answer. It is quite clear now that there needs to be a review of direct award contracts by contracting authorities during the course of the pandemic,” said the Galway West TD.

D. Goodman

D. Goodman