GP practice in County Armagh warned after patients’ details compromised following email attack

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.ico.org.uk/news/latest_news/2013/gp-practice-in-county-armagh-warned-after-email-attack-26042013

A GP practice in County Armagh is taking action to improve the way it
looks after patients’ information following a breach of the Data
Protection Act investigated by the Information Commissioner’s Office
(ICO).

The breach was caused when a free web-based email account, used by the
Burnett Practice to inform patients of upcoming smear tests
appointments, was hacked. The Portadown practice only became aware of
the problem in October last year when patients reported receiving
strange emails claiming to be from a doctor at the surgery asking them
to provide their bank account details.

While no sensitive information was accessed, the account included the
email addresses of approximately 175 of the practice’s patients, who
had been previously invited to a smear test and received confirmation
that the results were normal.

Ken Macdonald, ICO Assistant Commissioner for Northern Ireland, said:

“We should not have to tell GP practices that using free email
accounts to send details of patients’ medical appointments is
unacceptable. The health service is given access to secure email
accounts for a reason, and Burnett Practice’s decision to use a free
web-based email account placed the information at unnecessary risk.

“As well as improving the security arrangements around its email
accounts, the practice will now update its procedures to make sure
patients’ information is properly looked after and improve the
training it provides to its staff. The practice can consider itself
lucky that the information was not particularly sensitive; otherwise
it could have been facing a substantial financial penalty.”

The email account at the centre of this investigation has now been
closed and the practice has informed those patients affected.

Further details about the case can be found in the undertaking signed
by the practice (pdf).

The ICO has produced guidance to help the health service look after
patients’ information by meeting their legal obligations under the
Data Protection Act.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.