Firm fined £100k after hack exposed patient data

A firm providing emergency medical services has been fined £100,000 after a serious data breach exposed sensitive patient information.

Thousands of emails, some containing confidential health data, were stolen from the Medical Specialist Group (MSG) in Guernsey and later used in phishing campaigns targeting patients, said the Office of the Data Protection Authority (ODPA) in a statement, external.

The breach began in August 2021 but was not discovered until more than three months later, said the ODPA, which issued the fine.

MSG said it had made "major enhancements to its cybersecurity infrastructure, including substantial investment in new technology, system monitoring, and staff training".

The ODPA, which noted missed opportunities to detect the breach and a failure to install critical security updates that could have prevented the attack, said MSG had breached the Data Protection Law, external by not taking reasonable steps to secure personal data.

"Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements," said commissioner Brent Homan.

MSG must pay £75,000 within 60 days, with a further £25,000 due in 14 months, though this may be waived if the group completes an action plan.

Mr Homan said MSG's chief executive Dr Farid Fouladinejad had "committed to positioning MSG as a leader in the health sector for safeguarding data".

He said MSG's plan "exceeds what we would have expected" and he was confident bailiwick residents "should benefit from an exceptional level of protection for their health information".

Dr Fouladinejad said protecting patients' information was "one of our highest priorities".

'We welcome the ODPA's constructive and collaborative engagement throughout this process and remain committed to implementing our agreed action plan," he said.

"We take the responsibilities of securing patients' information very seriously.

"We at the MSG are fully committed to restoring islanders' trust in how we protect their personal information'."

Follow BBC Guernsey on X, external and Facebook, external and Instagram, external. Send your story ideas to channel.islands@bbc.co.uk, external.