Actions Taken to Prevent a Recurrence of Data Breach
| Authority | Manx Care |
|---|---|
| Date received | 2025-12-31 |
| Outcome | All information sent |
| Outcome date | 2026-01-19 |
| Case ID | 5199742 |
Summary
The requester asked Manx Care to outline measures taken to prevent a recurrence of a 2022 data breach involving patient health details. Manx Care disclosed that the original fine was stayed and detailed seven specific remediation steps, including technology reviews, staff training updates, and Global Address List restrictions.
Key Facts
- The original £170,500 fine issued in July 2022 was stayed by the Information Commissioner after remediation steps were taken.
- Manx Care reviewed and cleansed the Global Address List by removing dormant accounts and limiting access to wider government lists.
- Mandatory staff training on data protection was refreshed and updated on the eLearnVannin platform.
- Seven specific policies were reviewed or developed, including Email, Security, and Bring-Your-Own-Device policies.
- The project was overseen by the Information Governance Advisory Board with representatives from Manx Care, DHSC, and the Cabinet Office.
Data Disclosed
- £170,500
- 1,870 recipients
- August 2022
- July 2022
- 31 December 2025
- 6 January 2026
- 5199742
Original Request
Dear Sir/Madam In August 2022, Manx Care was fined £170,500 by the Isle of Man Information Commissioner due to a data breach which involved an insecure email attachment containing the patient's confidential health details being sent to 1,870 recipients. Can you please outline the measures and steps Manx Care has taken to prevent a recurrence of this? Such as restriction of Microsoft Global Address Lists, Staff Training or improved guidance on the sending of patient information via email? Many thanks
Data Tables (1)
Full Response Text
Manx Care Noble’s Hospital, Strang Braddan, Isle of Man IM4 4R (01624) 650 000
Our ref: 5199742 6 January 2026
Dear
We write further to your request, received 31 December 2025, which states:
"Dear Sir/Madam
In August 2022, Manx Care was fined £170,500 by the Isle of Man Information Commissioner due to a data breach which involved an insecure email attachment containing the patient's confidential health details being sent to 1,870 recipients.
Can you please outline the measures and steps Manx Care has taken to prevent a recurrence of this?
Such as restriction of Microsoft Global Address Lists, Staff Training or improved guidance on the sending of patient information via email?
Many thanks"
Our response:
The Isle of Man Information Commissioner (ICO) issued a penalty notice to Manx Care in July 2022. Following the steps taken to remediate the breach the ICO subsequently agreed to stay the penalty and Manx Care was not required to pay the fine.
Manx Care undertook a project that included the following measures:
- Review use of technology for discharge and referral processes selecting the most favourable option and deployed with associated training and support for staff.
- Review previously reported data breaches to inform prioritisation of changes required to improve protection of ‘PID’ (Personally Identifiable Data).
- Refresh existing data protection policy documents and updated mandatory staff training on the eLearnVannin platform.
- Revise the breach notification procedures and re-train staff accordingly.
- Review and cleanse the Global Address List: • Removing dormant accounts and mailing groups; • Limiting ability to send to certain mailing groups; • Revised process for approval of new distribution lists; • Limiting access to the wider Government Global Address List.
-
Explored suitability and implementation of software solutions that add additional confirmation layer to the sending of confidential data.
-
Policies and procedures were reviewed with associated procedures developed covering:
• Email Policy • Security Policy • ‘Bring-Your-Own-Device’ Policy • Storage and Transmission Policy
• Record Management and Retention Policy • Registration Authority Policy • Confidentiality Policy
Polices are accessible to all Manx Care staff via an Intranet site. Any updates are communicated to staff, and training is provided to support understanding and consistent implementation. Staff training is embedded as an ongoing process thereby promoting continual improvement and adherence across Manx Care.
The above measures were supported by a project team and a communication plan to inform key stakeholders of progress and the work was overseen by the Information Governance Advisory Board with representatives from Manx Care, DHSC and Cabinet Office (Public Health and Transformation).
Please quote the reference number 5199742 in any future communications.
Your right to request a review
If you are unhappy with this response to your freedom of information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post.
An electronic version of our complaint form can be found by going to our website at https://services.gov.im/freedom-of-information/Review . If you would like a paper version of our complaint form to be sent to you by post, please contact me and I will be happy to arrange for this. Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded.
If you are not satisfied with the result of the review, you then have the right to appeal
to the Information Commissioner for a decision on;
1. Whether we have responded to your request for information in accordance with
Part 2 of the Freedom of Information Act 2015; or
2. Whether we are justified in refusing to give you the information requested.
In response to an application for review, the Information Commissioner may, at any
time, attempt to resolve a matter by negotiation, conciliation, mediation or another
form of alternative dispute resolution and will have regard to any outcome of this in
making any subsequent decision.
More detailed information on your right to a review can be found on the Information
Commissioner’s website at www.inforights.im.
Should you have any queries concerning this letter, please do not hesitate to contact me. Further information about freedom of information requests can be found at www.gov.im/foi.
I will now close your request as of this date.
Yours sincerely