A Calgary doctor uses his personal Gmail account to communicate sensitive personal health information, does not protect his account, and whammo: 7,000 of his patients now have their private information circulating on the Intertubes.
What are the takeaways?
First, never use your personal email to communicate business sensitive information. In this case, the doctor had been provided with a secure email service by the Alberta Health Service. With many companies, the corporate email system is protected (at least to some degree) against compromise and breach, defences that your personal email probably does not have.
Secondly, protect your personal email like the crown jewels it represents. Think about it, how many other services do you use online that are tied to your personal email account such that all that is required to reset the password is to click a button and respond to an email? An attacker who takes over your email, can take over all of those account too!
Which begs the question, how do you protect your email?
- Use a killer password generated and stored in a password manager.
- Enable multi-factor authentication such as Google Authenticator, Microsoft Authenticator, or Authy. Do not use SMS (text messages) as your second factor unless there is absolutely no other option. It’s better than nothing, but much weaker than a proper second factor.