Cyber criminals targetted thousands of patients after stealing data from MSG

• Medical Specialist Group fined up to £100,000 by Data Protection Authority
• Cyber criminal theft of emails at end of 2021 not noticed for three months
• They used the data to target patients with scams
• Action plan by MSG in response said to exceed DPA expectations

Cyber criminals exploited basic shortcomings in how the MSG looked after patient data to steal emails, something that has now led to the company being fined up to £100,000.

In response, the MSG has announced an action plan to safeguard data which exceeds what the Data Protection Commission, which issued the fine, expected.

It took three months for the company to notice what had happened at the end of 2021, with cyber criminals stealing emails stored on its server, some of which contained sensitive patient information.

Those details were then used in phishing campaigns  - a type of cyberattack where criminals impersonate legitimate sources to trick people into revealing sensitive information like passwords, credit card numbers, or banking details -  targeting MSG patients over several months.

While the total of emails stolen is still unknown, the DPA said that thousands were left vulnerable to the theft.

An inquiry by the DPA found the MSG had breached the Data Protection Law because it had failed to take reasonable steps to ensure the security of personal data.

In particular, the MSG routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities.

The Authority also found failures with the MSG’s application of threat detection software, which meant there were several missed opportunities to detect unauthorised access to its e-mail server.

There was a three-and-a-half-month delay between when the server was compromised in August 2021 by the cyber attackers, and when it was ultimately detected and reported in December that year.

Finally, the Authority found failures in the MSG’s breach investigation, because the MSG failed to identify the root cause of why the server was vulnerable, and recognise the above failures in its application of threat detection software.  

“Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements” said Commissioner Brent Homan.

“Looking to the future, the new CEO has committed to positioning MSG as a leader in the health sector for safeguarding data. In fact, the Action Plan developed by MSG not only meets, but exceeds what we would have expected.

"I am confident that when the plan has been fulfilled, Bailiwick residents, many of whom use MSG’s services, should benefit from an exceptional level of protection for their health information.”

The Authority has imposed an administrative fine of £100,000 against the MSG.

£75,000 of this is payable by the MSG within 60 days, and the remaining £25,000 in 14 months’ time.

The £25,000 will be waived if the MSG completes all the remedial actions it has committed to undertake through its security safeguard Action Plan.

There was no impact on the MSG’s on the patient record management system.

It said that it uses emails to exchange information with patients as the hospital IT systems provided by the States do not offer MSG doctors and admin staff other ways of electronic communication with patients and other healthcare professionals.

Dr Farid Fouladinejad, Chief Executive of MSG, said: “Protecting our patients’ information is one of our highest priorities.

"Four years ago, we were hit by a global cyber incident that affected many organisations in public and private sectors across the world.

"Since then, we’ve taken significant steps to strengthen our systems and ensure we meet the highest standards of data security. Our plan for the next 12 months will take us to an even higher level of security.”

Since the attack, the MSG has enhanced its cybersecurity infrastructure, including investment in new technology, system monitoring, and staff training.

To advance data security and healthcare information sharing, the MSG has expressed its intention to collaborate with the States, the ODPA, and other healthcare providers on a unified and secure information-sharing framework.

Dr Fouladinejad added, “This ongoing work will support better clinical decisions, improve patient outcomes, and help build a more integrated healthcare system where information is accessible at the right place, at the right time and in a secure way so that patients get the best possible care.”