The MSG has been fined £100,000 after cyber criminals got hold of patient data.

It happened in December 2021, four months after the Medical Specialist Group’s server was compromised.

An internal investigation by the MSG discovered that the server was compromised in August that year, “via a collection of vulnerabilities” said the Data Protection Authority.

The cyber criminals were able to access e-mails, including some which contained sensitive patient health data.

Those e-mails were in turn used in “multiple phishing campaigns targeting MSG patients over a series of months”.

The ODPA said the total number of e-mails stolen is unknown but thousands were rendered vulnerable to theft.

Although the MSG reported the data breach itself, the ODPA found that the MSG had “failed to take reasonable steps to ensure the security of personal data”.

The faults identified included the MSG routinely failing to install security updates and its own use of ‘threat detection software’.

Pictured (l-r): MSG Chair Dr Steve Evans, CEO Dr Farid Fouladinejad, and Depuy chair Dr Michelle Le Cheminant (Paul Chambers) (file image).

Even after the MSG had launched its own investigation into the security breach it couldn’t find the root cause of it. The ODPA said that meant it had failed to take reasonable steps to ensure an appropriate level of security of patients’ personal data.

Data Protection Commissioner Brent Homan said the MSG’s failings were “at the more serious end of the scale” but the £100,000 fine could be reduced if the Medical Specialist Group now does everything the ODPA deems necessary to protect its data.

“Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements,” said Commissioner Homan.

“Looking to the future, the new CEO has committed to positioning MSG as a leader in the health sector for safeguarding data. In fact, the Action Plan developed by MSG not only meets, but exceeds what we would have expected. I am confident that when the plan has been fulfilled, Bailiwick residents, many of whom use MSG’s services, should benefit from an exceptional level of protection for their health information.”

Pictured: ODPA Commissioner Brent Homan.

The MSG has been fined £100,000 with £75,000 payable by the MSG within 60 days of this determination which was published on Monday afternoon.

The remaining £25,000 is due to be paid within 14 months’ time but will be waived if the MSG completes all the remedial actions the ODPA has recommended.