ODPA sanctions First Contact Health for phishing attack breach

What happened?

On 21 May 2024, First Contact Health became aware that unauthorised access had been gained to an employee’s email account, when it discovered it had been the target of fraud attempts by cyber criminals.

The Authority was notified of the breach by First Contact Health in line with its obligations under the Law, and an Inquiry was initiated after concerns were identified relating to the security measures that First Contact Health had put in place prior to the breach.

The Authority’s Inquiry found that First Contact Health had failed to implement sufficient security measures to prevent unauthorised access to personal data accessible from the account. This is particularly important given that First Contact Health processes health information. Health information is considered special category data, under the Law, and this increased sensitivity should be borne in mind when considering security safeguard measures.

Specifically, the Inquiry identified failings in the following areas:

• First Contact Health had failed to implement Multi Factor Authentication (MFA), meaning that only an e-mail address and password were required to access the account.
• First Contact Health failed to implement further measures to reduce the risk of unauthorised access to the account, including implementing conditional access policies that must be satisfied to allow authentication (e.g. IP address based geo-blocking).
• First Contact Health failed to implement tools to monitor suspicious authentication activity, meaning that the unauthorised access went undetected for a period of at least five months.
• Finally, First Contact Health did not conduct regular security audits or penetration tests, which would have increased the likelihood of the previous failings being identified and mitigated.

Why was that a problem?

First Contact Health’s failure to implement reasonable measures to ensure the security of personal data left e-mail accounts vulnerable to compromise from risks including phishing attacks and brute force attacks. This was critical given that much of the personal data First Contact Health processes relates to health matters and is, therefore, special category data.

What has happened as a result?

The Authority has found First Contact Health to have breached the Law and has imposed an order requiring that it take several steps to improve its security safeguards. The Authority will be ensuring that these steps are taken and can undertake further enforcement action should this order not be complied with.

What can be learned?

• Where organisations use health data, it is expected that enhanced security measures are implemented to appropriately mitigate the increased risk posed by breaches.
• It is highly recommended that organisations implement MFA on accounts wherever possible. MFA requires that at least two conditions be satisfied in order to allow access, generally comprising at least two different factors of either something you know (e.g. username and password), something you have (e.g. a specific device), or something you are (e.g. biometric data). This reduces the risk of unauthorised account access.
• As well as MFA, it is recommended that conditional access policies be used within Microsoft 365 tenants to add additional conditions that must be satisfied to successfully authenticate. These may include conditions such as requiring user devices to be compliant and registered, and geo-blocking of IP address ranges from countries in which no-one requires access.
• It is important that measures also be implemented by organisations to detect suspicious authentication activity, allowing for mitigating action to be taken at the earliest sign of a breach.
• Security safeguards are a dynamic rather than static responsibility. Organisations must remain vigilant in an era of constantly evolving cyber-threats.
• It is not enough for organisations to implement security measures and forget about them. Regular security audits or penetration tests must be undertaken to ensure that those measures are effective and to identify further measures that should be introduced.

“When you are responsible for highly sensitive personal information such as clients’ health
data, it is critical to engage elevated authentication measures to guard against cyber -
attacks”, said Commissioner Brent Homan. “We appreciate First Contact Health’s
cooperation with our investigation and are confident that with the additional measures
adopted through the enforcement order, the security of its clients’ data has been
strengthened”.

Read the full determination here