The UK's Information Commissioner's Office (ICO) reports that the Burnett Practice is working to improve its management of patient information following a breach of the Data Protection Act (h/t Computer Weekly).
According to the ICO, a Web-based e-mail account used by the practice to inform patients of upcoming appointments was hacked -- and the practice only became aware of the breach in October of 2012 when patients complained of e-mails claiming to come from a doctor at the practice that asked for their bank account details.
The ICO says no sensitive information was accessed, but approximately 175 patients' e-mail addresses were exposed.
"We should not have to tell GP practices that using free e-mail accounts to send details of patients’ medical appointments is unacceptable," Ken Macdonald, ICO Assistant Commissioner for Northern Ireland, said in a statement. "The health service is given access to secure e-mail accounts for a reason, and Burnett Practice's decision to use a free Web-based e-mail account placed the information at unnecessary risk."
"As well as improving the security arrangements around its email accounts, the practice will now update its procedures to make sure patients' information is properly looked after and improve the training it provides to its staff," Macdonald said. "The practice can consider itself lucky that the information was not particularly sensitive; otherwise it could have been facing a substantial financial penalty."