ICO warns GP practice over hacked webmail account

A GP practice is acting on a breach of the Data Protection Act linked to the surgery’s hacked webmail account

A GP practice in County Armagh, Northern Ireland, is taking action over a breach of the Data Protection Act linked to a hack of the surgery’s free webmail account.

The Information Commissioner’s Office (ICO) said the breach was caused when hackers compromised a free web-based email account used by the Burnett Practice to inform patients of upcoming smear tests appointments.

The Portadown practice became aware of the problem in October last year only when patients reported receiving emails claiming to be from a doctor at the surgery asking them to provide their bank account details.

While no sensitive information was accessed, the account included the email addresses of about 175 patients, who had been invited to a smear test and been informed that results were normal.

“We should not have to tell GP practices that using free email accounts to send details of patients’ medical appointments is unacceptable,” said Ken Macdonald, ICO assistant commissioner for Northern Ireland.

“The health service is given access to secure email accounts for a reason, and Burnett Practice’s decision to use a free web-based account placed the information at unnecessary risk.”

The practice has signed an undertaking to improve the security arrangements around its email accounts, update its procedures to make sure patients’ information is properly looked after and improve the training it provides to its staff.

“The practice can consider itself lucky that the information was not particularly sensitive; otherwise it could have been facing a substantial financial penalty,” said Macdonald.

The email account concerned has been closed and the practice has informed those patients affected, the ICO said.

The ICO has produced guidance to help the health service look after patients’ information by meeting their legal obligations under the Data Protection Act.

Read more on Privacy and data protection