BreachExchange mailing list archives
GP practice in County Armagh warned after patients’ details compromised following email attack
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 26 Apr 2013 14:53:39 -0400
http://www.ico.org.uk/news/latest_news/2013/gp-practice-in-county-armagh-warned-after-email-attack-26042013 A GP practice in County Armagh is taking action to improve the way it looks after patients’ information following a breach of the Data Protection Act investigated by the Information Commissioner’s Office (ICO). The breach was caused when a free web-based email account, used by the Burnett Practice to inform patients of upcoming smear tests appointments, was hacked. The Portadown practice only became aware of the problem in October last year when patients reported receiving strange emails claiming to be from a doctor at the surgery asking them to provide their bank account details. While no sensitive information was accessed, the account included the email addresses of approximately 175 of the practice’s patients, who had been previously invited to a smear test and received confirmation that the results were normal. Ken Macdonald, ICO Assistant Commissioner for Northern Ireland, said: “We should not have to tell GP practices that using free email accounts to send details of patients’ medical appointments is unacceptable. The health service is given access to secure email accounts for a reason, and Burnett Practice’s decision to use a free web-based email account placed the information at unnecessary risk. “As well as improving the security arrangements around its email accounts, the practice will now update its procedures to make sure patients’ information is properly looked after and improve the training it provides to its staff. The practice can consider itself lucky that the information was not particularly sensitive; otherwise it could have been facing a substantial financial penalty.” The email account at the centre of this investigation has now been closed and the practice has informed those patients affected. Further details about the case can be found in the undertaking signed by the practice (pdf). The ICO has produced guidance to help the health service look after patients’ information by meeting their legal obligations under the Data Protection Act. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- GP practice in County Armagh warned after patients’ details compromised following email attack Erica Absetz (Apr 26)