Breach details
| What | Names and email addresses. |
| How much | About 175 records. |
| When | 3 October 2012 or earlier |
| Why | The email service provider that the practice used wasn’t suitable to send sensitive medical results because it didn’t provide the appropriate technical security measures. As a result the practice’s email account was hacked. |
BW Comments
| Organisations should view this as an indication that if cloud-based, web-email services are used, services that offer two-factor authentication (e.g. Google Authenticator) should be selected. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle |
| When | 26 April 2013 |
| Details | The practice must use secure means of communication for test results – email can only be used if its security can be guaranteed. A security policy that is adequate to transfer patient data securely must be put in place, and staff must be made aware of this and trained. |
BW Observations
| Based on previous decisions, the loss of 175 medical records would seem to be a candidate for a Monetary Penalty rather than an undertaking. However, in this case the Commissioner would have struggled to satisfy the ‘known or should have known’ test given that most people (incorrectly) assume their email is generally safe from third party attack. |
Links
| View PDF of The Burnett Practice Undertaking (Breach Watch Archive) |
| View PDF of The Burnett Practice Undertaking (Via ICO Website) |
Follow Up
| The ICO conducted a follow up assessment on 17 October 2013. |
| View PDF of the Burnett Practice Undertaking Follow Up (Breach Watch Archive) |
| View PDF of the Burnett Practice Undertaking Follow Up (Via ICO Website) |