The island’s secondary healthcare provider initially claimed it had installed the security updates, but investigations found that four were not installed, one of which was classed as critical by Microsoft.
The MSG had threat detection software, but it was only in 2023 that it was found that 54 unique malicious files had been detected and removed by the software over three months in 2021.
Criminals were able to steal emails, some of which contained sensitive health information.
The MSG offers private healthcare, as well as care under a contract with the States’ Health & Social Care Committee.
The Data Protection Authority fined the MSG £100,000, of which £75,000 needs to be paid within 60 days.
The balance is due in 14 months’ time, but will be waived if the MSG completes all the remedial actions within this timeframe.
Data protection commissioner Brent Homan was hopeful there would be no repeat.
‘Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at the MSG fell well short of legal requirements,’ he said.
‘Looking to the future, the new CEO [Dr Farid Fouladinejad, who joined the MSG in May] has committed to positioning the MSG as a leader in the health sector for safeguarding data.
‘In fact, the action plan developed by the MSG not only meets but exceeds what we would have expected.
‘I am confident that when the plan has been fulfilled Bailiwick residents, many of whom use the MSG’s services, should benefit from an exceptional level of protection for their health information.’
The MSG first spotted a problem in December 2021, after receiving several suspicious emails indicating that its email server had been accessed by cyber criminals.
An internal investigation found that the server had been compromised in August 2021 via a collection of vulnerabilities. These enabled cyber criminals to access and steal emails stored on the server, some of which contained sensitive patient health data.
These emails were used to facilitate multiple phishing campaigns targeting MSG patients over a series of months.
The number of e-mails stolen is unknown.
The attack was limited to the email system and did not affect the patient record management system.
The MSG notified the Data Protection Authority and an inquiry was initiated.
It found that the MSG had failed to take reasonable steps to ensure the security of personal data, after it did not install security updates to its email server over the course of 13 months.
This included updates directly related to the breach exploit and other critical vulnerabilities.
The authority also found failures with the MSG’s application of threat detection software.
This led to several missed opportunities to detect unauthorised access to its email server.
The authority also found failures in the MSG’s breach investigation because it failed to identify the root cause of why the server was vulnerable.
At the time of the incident the MSG used an on-premises Microsoft Exchange 2016 server.
It has now moved to a cloud-based Office 365 solution.