The Data Protection Authority has fined the Medical Specialist Group LLP £100,000 after a cyber-attack exposed sensitive patient information.
The investigation found serious and prolonged security failings, including missed updates and inadequate threat detection, which left thousands of emails containing health data vulnerable to theft.
In December 2021, the Medical Specialist Group (MSG) became aware of a personal data breach after it received several suspicious emails indicating that its e-mail server had been accessed by cyber criminals.
An internal investigation conducted by the MSG identified that the server had been compromised in August 2021 via a collection of vulnerabilities. These vulnerabilities enabled cyber criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data.
These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The total number of e-mails stolen is unknown but thousands were rendered vulnerable to theft.
The MSG notified the Data Protection Authority of this breach in line with its breach notification obligations under the Data Protection Law, and an inquiry was initiated by the Authority.
The inquiry found the MSG had breached the Data Protection Law because it had failed to take reasonable steps to ensure the security of personal data.
In particular, the Authority found that the MSG routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities.
The Authority also found failures with the MSG’s application of threat detection software, which meant there were several missed opportunities to detect unauthorised access to its e-mail server. There was a three-and-a-half-month delay between when the server was compromised by the cyber attackers, and when it was ultimately detected and reported.
Finally, the Authority found failures in the MSG’s breach investigation, because the MSG failed to identify the root cause of why the server was vulnerable, and recognise the above failures in its application of threat detection software.
The Authority found the MSG’s failings to adequately protect personal data breached the Law and were so serious that the threshold for a fine was met. These contraventions of the Law were at the more serious end of the scale, due to the sensitive nature of personal data that was impacted by this breach. Therefore, the Authority has imposed an administrative fine of £100,000 against the MSG.
£75,000 of this administrative fine is payable by the MSG within 60 days of this determination, and the remaining £25,000 in 14 months’ time. The £25,000 will be waived if the MSG completes all the remedial actions it has committed to undertake through its security safeguard Action Plan within this timeframe.
“Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements” said Commissioner Brent Homan.
“Looking to the future, the new CEO has committed to positioning MSG as a leader in the health sector for safeguarding data. In fact, the Action Plan developed by MSG not only meets, but exceeds what we would have expected. I am confident that when the plan has been fulfilled, Bailiwick residents, many of whom use MSG’s services, should benefit from an exceptional level of protection for their health information.”
MSG Chief Executive Dr Farid Fouladinejad said: “Protecting our patients’ information is one of our highest priorities. Four years ago, we were hit by a global cyber incident that affected many organisations in public and private sectors across the world. Since then, we’ve taken significant steps to strengthen our systems and ensure we meet the highest standards of data security. Our plan for the next 12 months will take us to an even higher level of security.”
Since the incident, the MSG has made major enhancements to its cybersecurity infrastructure, including substantial investment in new technology, system monitoring, and staff training, bringing the organisation in line with national and international best practice. The MSG says it intends to work collaboratively with the States of Guernsey, the ODPA and other island healthcare providers to develop a unified, secure, and interoperable framework for information sharing in the future.
“This ongoing work will support better clinical decisions, improve patient outcomes, and help build a more integrated healthcare system where information is accessible at the right place, at the right time and in a secure way so that patients get the best possible care,” added Dr Fouladinejad.
“We welcome the ODPA’s constructive and collaborative engagement throughout this process and remain committed to implementing our agreed action plan. As the interface between GPs and the wider healthcare system in the Bailiwick, the MSG will share the learning and experience from this incident with other interested healthcare and governmental organisations.
“We take the responsibilities of securing patients’ information very seriously and rely heavily on the cooperation and coordination from the States of Guernsey to ensure that appropriate IT systems are in place. We at the MSG are fully committed to restoring islanders’ trust in how we protect their personal information.”
