The island's secondary healthcare provider initially claimed it had installed the security updates, but investigations found that four were not installed, one of which was classed as critical by Microsoft.
The MSG had threat detection software, but it was only in 2023 that it was found that 54 unique malicious files had been detected and removed by the software over three months in 2021.
Criminals were able to steal emails, some of which contained sensitive health information.
The MSG offers private healthcare, as well as care under a contract with the States' Health & Social Care Committee.
The Data Protection Authority fined the MSG £100,000, of which £75,000 needs to be paid within 60 days.
The balance is due in 14 months’ time, but will be waived if the MSG completes all the remedial actions within this timeframe.
Data protection commissioner Brent Homan was hopeful there would be no repeat.
‘Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at the MSG fell well short of legal requirements,’ he said.
‘Looking to the future, the new CEO [Dr Farid Fouladinejad, who joined the MSG in May] has committed to positioning the MSG as a leader in the health sector for safeguarding data.
‘In fact, the action plan developed by the MSG not only meets but exceeds what we would have expected.
‘I am confident that when the plan has been fulfilled Bailiwick residents, many of whom use the MSG’s services, should benefit from an exceptional level of protection for their health information.’
The MSG first spotted a problem in December 2021, after receiving several suspicious emails indicating that its email server had been accessed by cyber criminals.
An internal investigation found that the server had been compromised in August 2021 via a collection of vulnerabilities. These enabled cyber criminals to access and steal emails stored on the server, some of which contained sensitive patient health data.
These emails were used to facilitate multiple phishing campaigns targeting MSG patients over a series of months.
The number of e-mails stolen is unknown.
The attack was limited to the email system and did not affect the patient record management system.
The MSG notified the Data Protection Authority and an inquiry was initiated.
It found that the MSG had failed to take reasonable steps to ensure the security of personal data, after it did not install security updates to its email server over the course of 13 months.
This included updates directly related to the breach exploit and other critical vulnerabilities.
The authority also found failures with the MSG’s application of threat detection software.
This led to several missed opportunities to detect unauthorised access to its email server.
The authority also found failures in the MSG’s breach investigation because it failed to identify the root cause of why the server was vulnerable.
At the time of the incident the MSG used an on-premises Microsoft Exchange 2016 server.
It has now moved to a cloud-based Office 365 solution.
MSG ‘committed to safeguarding islanders’ health information’
Security improvements have been made at the Medical Specialist Group and more are planned, the healthcare provider has said.
The MSG stated that it was committed to safeguarding islanders’ health information.
Chief Executive Dr Farid Fouladinejad said changes were being made.
‘Protecting our patients’ information is one of our highest priorities,’ he said.
‘Four years ago, we were hit by a global cyber incident that affected many organisations in public and private sectors across the world. Since then, we’ve taken significant steps to strengthen our systems and ensure we meet the highest standards of data security. Our plan for the next 12 months will take us to an even higher level of security.’
Since the incident, the MSG has made enhancements to its cybersecurity infrastructure, including investment in new technology, system monitoring, and staff training, bringing the organisation in line with national and international best practice.
However, there was more which could be done.
The MSG said it intended to work with the States, the Office of the Data Protection Authority and other healthcare providers on the island to develop a unified, secure and interoperable framework for information sharing in the future.
‘This ongoing work will support better clinical decisions, improve patient outcomes, and help build a more integrated healthcare system where information is accessible at the right place, at the right time and in a secure way so that patients get the best possible care,’ said Dr Fouladinejad.
‘We welcome the ODPA’s constructive and collaborative engagement throughout this process and remain committed to implementing our agreed action plan. As the interface between GPs and the wider healthcare system in the Bailiwick, the MSG will share the learning and experience from this incident with other interested healthcare and governmental organisations.
‘We take the responsibilities of securing patients’ information very seriously and rely heavily on the cooperation and coordination from the States to ensure that appropriate IT systems are in place. We at the MSG are fully committed to restoring islanders’ trust in how we protect their personal information.’
You need to be logged in to comment. If you had an account on our previous site, you can migrate your old account and comment profile to this site by visiting this page and entering the email address for your old account. We'll then send you an email with a link to follow to complete the process.