A GP practice has signed an undertaking to tighten up on data security after an estimated 175 patients received emails claiming to be from a doctor at the surgery asking them for money.
The incident occurred when a free web-based email account used by the Burnett Practice practice in Portadown, County Armagh, Northern Ireland to inform patients of smear test appointments was hacked.
Patients reported receiving strange emails asking them to provide their bank account details in October last year.
An investigation by the Information Commissioners Office concluded that no sensitive information was accessed but said the account included the email addresses of approximately 175 of the practice’s patients who had been previously invited to a smear test and received confirmation that the results were normal.
Further investigation determined that the email service provider used by the practice was not appropriate to communicate the outcome of the tests.
The email account was closed and the practice has informed those patients affected.
Ken Macdonald, ICO assistant commissioner for Northern Ireland, said: ‘We should not have to tell GP practices that using free email accounts to send details of patients’ medical appointments is unacceptable.
‘The health service is given access to secure email accounts for a reason, and Burnett Practice’s decision to use a free web-based email account placed the information at unnecessary risk.
‘As well as improving the security arrangements around its email accounts, the practice will now update its procedures to make sure patients’ information is properly looked after and improve the training it provides to its staff.
‘The practice can consider itself lucky that the information was not particularly sensitive; otherwise it could have been facing a substantial financial penalty.’
