The Office of the Data Protection Authority has sanctioned First Contact Health after a phishing attack led to unauthorised access to an employee email account containing sensitive health data.
The Authority confirmed that First Contact Health became aware on 21 May 2024 that cyber criminals had gained access to an employee’s email account. The breach came to light after the organisation identified fraud attempts linked to the compromised account.
First Contact Health notified the Authority in line with its statutory obligations. However, concerns about the security measures in place prior to the breach prompted the regulator to launch a formal inquiry.
The Authority found that First Contact Health had failed to implement sufficient security safeguards to prevent unauthorised access to personal data accessible via the account. This was considered particularly serious given that the organisation processes health information, which is classified as special category data under the Law and requires enhanced protection.
The inquiry identified several failings:
- Multi Factor Authentication, or MFA, had not been implemented, meaning only an email address and password were required to access the account.
- No additional conditional access policies were in place, such as IP address based geo blocking, to reduce the risk of unauthorised access.
- The organisation had not deployed tools to monitor suspicious authentication activity, resulting in the breach going undetected for at least five months.
Regular security audits or penetration testing had not been carried out, reducing the likelihood that vulnerabilities would have been identified and addressed earlier.
The Authority concluded that First Contact Health had breached the Law by failing to implement reasonable measures to ensure the security of personal data. It has imposed an enforcement order requiring the organisation to take a number of steps to strengthen its security safeguards. The regulator confirmed it will monitor compliance and may take further enforcement action if the order is not met.
Commissioner Brent Homan said: “When you are responsible for highly sensitive personal information such as clients’ health data, it is critical to engage elevated authentication measures to guard against cyber attacks. We appreciate First Contact Health’s cooperation with our investigation and are confident that with the additional measures adopted through the enforcement order, the security of its clients’ data has been strengthened.”
