The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Data Protection Authority (“The Authority”)
Issued: 1 pm 20 October 2025
Controller: The Medical Specialist Group LLP
What happened?
In December 2021, the Medical Specialist Group LLP (“the MSG”) became aware of a personal data breach after it received several suspicious emails indicating that its e-mail server had been accessed by cyber criminals.
An internal investigation conducted by the MSG identified that the server had been compromised in August 2021 via a collection of vulnerabilities. These vulnerabilities enabled cyber criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data.
These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The total number of e-mails stolen is unknown but thousands were rendered vulnerable to theft.
The MSG notified the Data Protection Authority (“the Authority”) of this breach in line with its breach notification obligations under the Data Protection Law, and an inquiry was initiated by the Authority.
The inquiry found the MSG had breached the Data Protection Law because it had failed to take reasonable steps to ensure the security of personal data.
In particular, the Authority found that the MSG routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities.
The Authority also found failures with the MSG’s application of threat detection software, which meant there were several missed opportunities to detect unauthorised access to its e-mail server.
In fact, there was a three-and-a-half-month delay between when the server was compromised by the cyber attackers, and when it was ultimately detected and reported.
Finally, the Authority found failures in the MSG’s breach investigation, because the MSG failed to identify the root cause of why the server was vulnerable, and recognise the above failures in its application of threat detection software.
Why was that a problem?
Organisations are required under the Law to take reasonable steps to ensure an appropriate level of security of personal data. To achieve this, organisations must implement measures to reduce the risk of personal data breaches.
In determining whether measures are reasonable, the Law outlines factors that must be taken into account. Particular care is required for special category data such as the medical information handled by the MSG, as the potential harms arising from its misuse are greater.
In this case, the MSG failed to implement fundamental information security measures which led to the breach and sensitive health data being stolen.
What has happened as a result?
The Authority found the MSG’s failings to adequately protect personal data breached the Law and were so serious that the threshold for a fine was met.
These contraventions of the Law were at the more serious end of the scale, due to the sensitive nature of personal data that was impacted by this breach.
Therefore, the Authority has imposed an administrative fine of £100,000 against the MSG.
£75,000 of this administrative fine is payable by the MSG within 60 days of this determination, and the remaining £25,000 in 14 months’ time.
The £25,000 will be waived if the MSG completes all the remedial actions it has committed to undertake through its security safeguard Action Plan within this timeframe.
“Medical information demands the highest level of safeguard protection against cyber-attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements” said Commissioner Brent Homan.
“Looking to the future, the new CEO has committed to positioning MSG as a leader in the health sector for safeguarding data. In fact, the Action Plan developed by MSG not only meets, but exceeds what we would have expected. I am confident that when the plan has been fulfilled, Bailiwick residents, many of whom use MSG’s services, should benefit from an exceptional level of protection for their health information.”
What can be learned from this?
Organisations must implement robust processes to ensure that security updates are installed as soon as practicable following release.
It is recommended that the National Cyber Security Centre guidance on Vulnerability Management is followed by organisations when planning the approach to take when installing updates.
Security measures are a dynamic rather than static responsibility. It is not enough for a measure to be implemented and forgotten.
Organisations must ensure that security measures are correctly configured, monitored and tested at regular intervals.
When organisations become aware of personal data breaches, they must take steps to identify the root cause of the breach.
This involves asking why and how the breach was able to occur. By answering these questions, organisations can identify how to prevent similar breaches from happening again.
Download the full determination
About the Office of the Data Protection Authority
The ODPA is the operational body that carries out the regulatory functions of The Data Protection
(Bailiwick of Guernsey) Law, 2017 delegated by The Data Protection Authority. These include recording data breaches, investigating complaints, running education programmes and examining proposed legislation and how it may affect individual privacy. The ODPA strives to empower individuals to exercise their rights as well as to support organisations to meet their compliance requirements and take action where they fall short.
&
Indulge