Guernsey Data Protection Authority Sanctions First Contact Health Following Security Failings 

The Office of the Data Protection Authority (ODPA) has sanctioned First Contact Health after an inquiry found significant failings in the organisation’s data security measures, particularly regarding the protection of sensitive health information.

Breach Discovered in May 2024

• On 21 May 2024, First Contact Health became aware of unauthorised access to an employee’s email account after uncovering fraud attempts by cybercriminals.
• The organisation reported the incident to the ODPA in accordance with its obligations under Guernsey’s data protection law.
• Following the notification, the Authority launched an Inquiry due to concerns about the adequacy of First Contact Health’s existing security safeguards at the time of the breach.

Inquiry Findings: Insufficient Security Measures

• The Authority concluded that First Contact Health failed to implement reasonable and proportionate measures to prevent unauthorised access to personal data.
• This was particularly concerning given the organisation’s processing of special category health data, which requires enhanced protection under the Law.

Key failings identified included:

• Lack of Multi-Factor Authentication (MFA): Access to email accounts required only a username and password.
• Absence of Conditional Access Policies: No restrictions such as IP-based geo-blocking or device compliance checks.
• Inadequate Monitoring Tools: Suspicious login activity went undetected for at least five months.
• No Regular Security Audits: The organisation did not undertake periodic security audits or penetration tests that may have revealed vulnerabilities earlier.

Why These Failures Matter

• According to the Authority, the lack of reasonable safeguards left systems exposed to common cyber threats such as phishing and brute-force attacks.
• Given that First Contact Health handles sensitive medical information, these failures significantly heightened the potential harm resulting from a compromise.

Enforcement Action

• The ODPA has ruled that First Contact Health breached its obligations under the Law.
• An enforcement order has been issued requiring the organisation to implement several specified security improvements.
• The Authority will monitor compliance closely and may take further enforcement action if the requirements are not met.

Key Lessons for Organisations

The Authority highlighted several broader takeaways for all data controllers and processors:

• Organisations handling health or other sensitive data must implement enhanced security controls.
• MFA should be enabled wherever possible to reduce unauthorised access risks.
• Conditional access policies (e.g., device compliance checks, geo-blocking) strengthen authentication security.
• Monitoring tools that detect suspicious login or authentication activity are essential.
• Cybersecurity requires continuous review; measures must evolve as threats evolve.
• Regular security audits and penetration tests are critical to verifying and improving existing safeguards.

Authority Statement -  Commissioner Brent Homan.

• “When you are responsible for highly sensitive personal information such as clients’ health data, it is critical to engage elevated authentication measures to guard against cyber-attacks.”
•  “We appreciate First Contact Health’s cooperation with our investigation and are confident that with the additional measures adopted through the enforcement order, the security of its clients’ data has been strengthened.”

Source

• https://www.odpa.gg/news/odpa-sanctions-first-contact-health-phishing-attack-breach
• https://www.odpa.gg/sites/default/files/2026-02/CAS-07052%20Public%20determination.pdf
• https://www.odpa.gg/sites/default/files/2026-02/CAS-07052%20Public%20determination.pdf