Flaws in a healthcare provider’s email security meant cyber criminals were able to access an email account and potentially view sensitive data – including patients’ medical information.
The account, belonging to an employee of First Contact Health, was compromised for “at least five months” up to May 2024, according to Guernsey’s Office of the Data Protection Authority (ODPA).
The company had failed to implement Multi-Factor Authentication (MFA), so hackers could access the emails if they guessed the password or tricked the owner into revealing it.
It had also failed to put adequate security monitoring safeguards in place, the ODPA said in its enforcement order, which meant the breach was spotted months later than it might have been.
Brent Homan, Data Protection Commissioner, said it was “critical” to use extra security measures when dealing with “highly-sensitive personal information such as clients’ health data”.
Health information is considered ‘special-category data’ under Guernsey law, so “enhanced security measures” should be taken, the ODPA said.
Taken with ‘utmost seriousness’
First Contact Health said it had “completed a comprehensive system-wide security upgrade” since it reported the “isolated” incident.
Dr Ranjan Vhadra said the company took privacy “with the utmost seriousness” and had spent time and money trying to create a “safe and secure environment” since.
Mr Homan said the ODPA “appreciated” the company’s cooperation and was “confident” in the measures it had put in place since.
How easy are passwords to crack?
Using modern computing power, short passwords can be cracked very quickly.
Criminals use variations of a technique called a ‘brute force attack’ to try all the possible combinations of numbers and letters.
It’s kind of like trying all the numbers on a bike lock until you find one that unlocks it – except instead of trying a few combinations every minute, computers can try billions.
And just like a bike lock, the shorter the code the less time it will take to crack.
A six-character password can usually be cracked in a fraction of a second – and 59% of real-world passwords can be cracked in less than an hour, according to security firm Kaspersky.
So what can you do about it?
Choose longer passwords
The first step is to choose – and force your employees to use – longer passwords or ‘passphrases’ – short sentences containing unrelated words.
Increasing the length of your password or passphrase to 20 characters means a brute force attack would take billions or even trillions of years with current hardware.
America’s National Institute of Standards and Technology (NIST) recommends passwords or passphrases that are at least 15 characters long, ideally longer.
What is MFA?
While longer passwords are better than shorter ones, they’re still not perfect.
If someone gets tricked into sharing their password – for example by a phishing scam – then their account could be compromised.
Likewise, people often share passwords across multiple accounts like their email and social media, so if one gets hacked they all do.
So, security experts recommend using Two-Factor Authentication or Multi-Factor Authentication (MFA).
This means you need more than just your password to access your email or other computer system.
The most common form of MFA is an app which users have to check when they try to log in, especially on a new device.
The app will either ask them to type in a code to prove it’s them, or use biometric scans – such as fingerprints, facial or iris scans.
This means that even if a hacker gets your password they can’t get through security without an extra hurdle to jump through.
The ODPA said it “highly recommended” organisations implement MFA where possible.
It also recommended using “conditional access policies” – such as restricting access to people on a corporate network or VPN – and using ongoing monitoring to “detect suspicious authentication activity”.