The MSG responds to ODPA’s final decision after 2021 cyber incident

The Medical Specialist Group (MSG) has reaffirmed its commitment to safeguarding islanders’ health information following the Office of the Data Protection Authority’s (ODPA) final decision regarding a cyber incident in 2021. 

In December 2021, the MSG’s email systems were targeted as part of a large-scale and sophisticated cyberattack that affected thousands of organisations worldwide, including healthcare and government bodies. 

The ODPA has now announced a fine of £100,000 for the group, reduced to £75,000 on delivery of an agreed action plan within the year. 

It cites a vulnerability in the MSG’s email systems that allowed attackers to send emails impersonating MSG accounts. The IT tools that MSG had in place at the time were giving incorrect and misleading confirmation that the systems were secure. On becoming aware of the attack, the MSG took immediate actions to secure the email systems, inform the ODPA and the public of the attack and engaged external cybersecurity specialists to investigate the incident.  

Their investigation confirmed that the attack was limited to the email system and did not affect the patient record management system. All patients whose emails were involved in the incident were contacted and apologised to in 2022. MSG uses emails to exchange information with patients as the hospital IT systems provided by the States of Guernsey do not offer MSG doctors and admin staff other ways of electronic communication with patients and other healthcare professionals.  

MSG Chief Executive Dr Farid Fouladinejad said, ‘Protecting our patients’ information is one of our highest priorities. Four years ago, we were hit by a global cyber incident that affected many organisations in public and private sectors across the world. Since then, we’ve taken significant steps to strengthen our systems and ensure we meet the highest standards of data security. Our plan for the next 12 months will take us to an even higher level of security’. 

Since the incident, the MSG has made major enhancements to its cybersecurity infrastructure, including substantial investment in new technology, system monitoring, and staff training, bringing the organisation in line with national and international best practice. However, there is always more that can be done. 

The MSG says it intends to work collaboratively with the States of Guernsey, the ODPA and other island healthcare providers to develop a unified, secure, and interoperable framework for information sharing in the future.  

‘This ongoing work will support better clinical decisions, improve patient outcomes, and help build a more integrated healthcare system where information is accessible at the right place, at the right time and in a secure way so that patients get the best possible care,’ added Dr Fouladinejad.  

‘We welcome the ODPA’s constructive and collaborative engagement throughout this process and remain committed to implementing our agreed action plan. As the interface between GPs and the wider healthcare system in the Bailiwick, the MSG will share the learning and experience from this incident with other interested healthcare and governmental organisations.  

‘We take the responsibilities of securing patients’ information very seriously and rely heavily on the cooperation and coordination from the States of Guernsey to ensure that appropriate IT systems are in place.  We at the MSG are fully committed to restoring islanders’ trust in how we protect their personal information’.