States of Guernsey under investigation following data breach which saw 5,059 records leaked

The States of Guernsey
Steps were taken to recover the email as soon as the error was noted, the recipient also confirmed the email had been permanently deleted. Credit: ITV Channel

The States of Guernsey is under investigation after a data breach resulted in more than 5,000 individuals' records relating to health debts being accidentally emailed to a customer.

The data was sent by a civil servant within the States of Guernsey Corporate Debt Management Team.

It contained information including full names and details of amounts owed for service.

The email was accidentally sent out on Thursday 18 April by the central States of Guernsey Corporate Debt Management Team and contained data relating to Health & Social Care (HSC) liabilities.

In total, 5,059 individuals are thought to have been affected by the breach.

Information such as patient names, reference to and names of parents/guardians if the liability related to a child, the title of the service, the customer’s unique reference number, the document or invoice number, the issue date, the due date and the value of the balance was leaked.

However, officials have reassured members of the public saying no medical records or details of procedures were included and that there was no risk of the breach leading to identity fraud as insufficient data was shared.

There were no details relating to personal income tax, social insurance contributions or corporate tax.

Steps were taken to recover the email as soon as the error was noted and the recipient also confirmed the email had been permanently deleted.

Chief resources officer Bethan Haines said: “I know that this incident will cause frustration and distress and I want to unreservedly apologise for the lapse in the security of customer data.

"The States of Guernsey has strict internal training requirements specific to confidentiality and data safeguarding, with refresher training for the Corporate Debt Management Team occurring at least annually.

"We take matters of data security extremely seriously and have taken immediate steps to strengthen our security measures, whilst we continue to investigate the incident to capture the lessons learnt.”

The office of the Data Protection Authority confirmed the matter had been reported to them.

In a statement, it said: "The decision to initiate this inquiry under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017 has been made following consideration of a breach notification submitted to the Authority by the Director of the Revenue Service and seeks to establish whether the Director of the Revenue Service has breached an operative provision of the Law.

"Not all breach notifications result in investigations or inquiry. They are assessed on their particular fact and risk situations.

"The outcome of the Authority’s inquiry should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time."

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...