A Guernsey dental clinic has been reprimanded by the data protection watchdog after a cyber breach exposed weaknesses in its security and governance.
The Office of the Data Protection Authority (ODPA) ruled that Fresh Dental breached the Data Protection (Bailiwick of Guernsey) Law 2017 after an employee’s Microsoft 365 account was compromised and used to send phishing emails in October 2024.
Fresh Dental reported the incident to the Authority on the same day. However, concerns over the breach and the clinic’s response prompted the ODPA to open a formal investigation.
In its determination, the ODPA found that Fresh Dental had no legally binding written agreement with its IT provider, despite the provider acting as a data processor for around eight years.
“When asked to provide a copy of the legally binding agreement in place between Fresh Dental and its IT provider, Fresh Dental confirmed that there was no such agreement,” the Authority said.
The watchdog also concluded that the clinic failed to take reasonable steps to protect personal data, particularly given that handling sensitive health information is central to its work.
Although some security measures were in place, the ODPA said they were inadequate. It found gaps in employee training, phishing detection, and penetration testing. The penetration testing carried out covered only a limited area and failed to identify the vulnerability exploited in the attack.
Fresh Dental also did not provide cyber security training to staff, despite stating in its own policies that such training would be delivered.
“Had this training been provided, the likelihood of the employee recognising the signs of a malicious e-mail would have increased, reducing the risk of compromise,” the Authority said.
The ODPA further criticised the clinic’s handling of the incident, noting that limited records were kept. This meant Fresh Dental could not demonstrate that reasonable steps had been taken to identify the root cause of the breach.
While an incident response plan existed, the Authority said it was not followed. No representations were submitted by Fresh Dental during the investigation.
As a result, the ODPA issued an enforcement order requiring the clinic to strengthen its technical and organisational security measures and introduce cyber security training for staff.
Fresh Dental has also been ordered to put a legally binding data processing agreement in place with its IT provider within three months. In addition, it must carry out a full penetration test within six months and consider implementing any reasonable recommendations within nine months.