The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Data Protection Authority (“The Authority”)
Issued: 2pm, 12 February 2026
Controller: First Contact Health
What happened?
On 21 May 2024, First Contact Health became aware that unauthorised access had been
gained to an employee’s email account, when it discovered it had been the target of fraud
attempts by cyber criminals.
The Authority was notified of the breach by First Contact Health in line with its obligations
under the Law, and an Inquiry was initiated after concerns were identified relating to the
security measures that First Contact Health had put in place prior to the breach.
The Authority’s Inquiry found that First Contact Health had failed to implement sufficient
security measures to prevent unauthorised access to personal data accessible from the
account. This is particularly important given that First Contact Health processes health
information. Health information is considered special category data, under the Law, and this
increased sensitivity should be borne in mind when considering security safeguard
measures.
Specifically, the Inquiry identified failings in the following areas:
• First Contact Health had failed to implement Multi Factor Authentication (MFA),
meaning that only an e-mail address and password were required to access the account.
• First Contact Health failed to implement further measures to reduce the risk of
unauthorised access to the account, including implementing conditional access policies
that must be satisfied to allow authentication (e.g. IP address based geo-blocking).
• First Contact Health failed to implement tools to monitor suspicious authentication
activity, meaning that the unauthorised access went undetected for a period of at least
five months.
• Finally, First Contact Health did not conduct regular security audits or penetration tests,
which would have increased the likelihood of the previous failings being identified and
mitigated.
Why was that a problem?
First Contact Health’s failure to implement reasonable measures to ensure the security of
personal data left e-mail accounts vulnerable to compromise from risks including phishing
attacks and brute force attacks. This was critical given that much of the personal data First
Contact Health processes relates to health matters and is, therefore, special category data.
What has happened as a result?
The Authority has found First Contact Health to have breached the Law and has imposed an
order requiring that it take several steps to improve its security safeguards. The Authority
will be ensuring that these steps are taken and can undertake further enforcement action
should this order not be complied with.
What can be learned?
• Where organisations use health data, it is expected that enhanced security measures are
implemented to appropriately mitigate the increased risk posed by breaches.
• It is highly recommended that organisations implement MFA on accounts wherever
possible. MFA requires that at least two conditions be satisfied in order to allow access,
generally comprising at least two different factors of either something you know (e.g.
username and password), something you have (e.g. a specific device), or something you
are (e.g. biometric data). This reduces the risk of unauthorised account access.
• As well as MFA, it is recommended that conditional access policies be used within
Microsoft 365 tenants to add additional conditions that must be satisfied to successfully
authenticate. These may include conditions such as requiring user devices to be
compliant and registered, and geo-blocking of IP address ranges from countries in which
no-one requires access.
• It is important that measures also be implemented by organisations to detect suspicious
authentication activity, allowing for mitigating action to be taken at the earliest sign of a
breach.
• Security safeguards are a dynamic rather than static responsibility. Organisations must
remain vigilant in an era of constantly evolving cyber-threats.
• It is not enough for organisations to implement security measures and forget about
them. Regular security audits or penetration tests must be undertaken to ensure that
those measures are effective and to identify further measures that should be
introduced.
“When you are responsible for highly sensitive personal information such as clients’ health
data, it is critical to engage elevated authentication measures to guard against cyber -
attacks”, said Commissioner Brent Homan. “We appreciate First Contact Health’s
cooperation with our investigation and are confident that with the additional measures
adopted through the enforcement order, the security of its clients’ data has been
strengthened”.