Medical Specialist Group LLP fined £100,000 after sensitive patient data stolen in cyber attack

Channel
Guernsey
Health
Data
Tuesday 21 October 2025 at 2:56pm

The data regulator says that The Medical Specialist Group's measures to protect against cyber attacks "fell well short of legal requirements". Credit: ITV Channel

The Medical Specialist Group LLP (MSG) has been fined £100,000 after sensitive health data was stolen in a cyber attack.

The company, which Guernsey's government contracts to provide specialist care, had its server compromised by criminals who accessed emails which contained around 100 patients' details.

The breach covered correspondence about appointments, test results and general enquiries, with the data regulator saying that thousands of emails were vulnerable to the hackers.

It adds this theft of personal details led to multiple phishing campaigns "over a series of months" - where fraudsters attempted to steal further sensitive information directly from patients.

The data breach happened in August 2021, but was only detected and reported by The MSG three and a half months later after it received several suspicious emails.

All the affected patients have been individually contacted by The MSG.

An inquiry by Guernsey's Data Protection Authority found that The MSG "failed to take reasonable steps to ensure the security of personal data", routinely not installing security updates over 13 months which it says directly led to the email server being exploited and "other critical vulnerabilities".

The regulator also notes there "were several missed opportunities to detect unauthorised access" due to flaws in the company's use of threat detection software.

It also identified issues with the MSG's internal investigation, including that the company failed to find the root cause of the server vulnerability.

Guernsey's Data Protection Commissioner, Brent Homan, explains: "Medical information demands the highest level of safeguard protection against cyber attacks, and the sanction in this matter reflects that the measures in place at MSG fell well short of legal requirements.

"Looking to the future, the new CEO has committed to positioning MSG as a leader in the health sector for safeguarding data.

"In fact, the action plan developed by MSG not only meets, but exceeds what we would have expected. I am confident that when the plan has been fulfilled, Bailiwick residents, many of whom use MSG's services, should benefit from an exceptional level of protection for their health information."

Out of the £100,000 fine, a quarter will be waived if The MSG fully implements this plan within 14 months.

The MSG Chief Executive Officer, Dr Farid Fouladinejad, says: "We essentially have a playbook. We know if something happens what the processes are that we should follow, but also seeking expert advice because we're healthcare experts, not IT experts."

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...