A GP practice in County Armagh has signed an undertaking to improve the security of patients’ information following a breach of the Data Protection Act investigated by the Information Commissioner’s Office (ICO).
The breach was caused when a free web-based email account used by the Burnett Practice to inform patients of upcoming smear tests appointments was hacked. The Portadown practice only became aware of the problem in October year when patients reported receiving strange emails claiming to be from a doctor at the surgery asking them to provide their bank account details. The practice notified the Information Commissioner’s Office on October 3, 2012.
While no sensitive information was accessed, the account included the names and email addresses of approximately 175 of the practice’s patients, who had been previously invited to a smear test and received confirmation that the results were normal. The practice was unable to determine exactly how many patients were affected because data had been wiped from the account as part of the attack.
Ken Macdonald, ICO Assistant Commissioner for Northern Ireland, said:
“We should not have to tell GP practices that using free email accounts to send details of patients’ medical appointments is unacceptable. The health service is given access to secure email accounts for a reason, and Burnett Practice’s decision to use a free web-based email account placed the information at unnecessary risk.
“As well as improving the security arrangements around its email accounts, the practice will now update its procedures to make sure patients’ information is properly looked after and improve the training it provides to its staff. The practice can consider itself lucky that the information was not particularly sensitive; otherwise it could have been facing a substantial financial penalty.”
The email account at the centre of this investigation has now been closed.