The UK Information Commissioner’s Office (ICO) has provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09 million following a ransomware attack in 2022 that disrupted NHS and social care services.
This decision comes after initial findings indicated that Advanced failed to implement adequate measures to protect the personal information of 82,946 individuals, including sensitive data.
Advanced, a national provider of IT and software services to organizations such as the NHS, handles personal information on behalf of these entities as their data processor. The ransomware incident, which occurred in August 2022, involved hackers accessing several of Advanced’s health and care systems through a customer account lacking multi-factor authentication.
The attack led to the exfiltration of personal information belonging to 82,946 people. The compromised data included phone numbers, medical records, and details on how to access the homes of 890 individuals receiving home care.
This breach resulted in significant disruption to critical services, such as NHS 111, with healthcare staff unable to access patient records. Despite the severity of the breach, Advanced found no evidence that the stolen data was published on the dark web, and those affected have been notified.
John Edwards, UK Information Commissioner, emphasized the importance of prioritizing information security, particularly for organizations handling sensitive data. “Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations. This incident caused disruption to some health services, impacting their ability to deliver patient care,” Edwards stated.
The Commissioner’s findings are currently provisional. No final conclusion has been reached regarding any breach of data protection law or the imposition of a financial penalty. The ICO will consider any representations made by Advanced before making a final decision, and the fine amount may also be subject to change.
Edwards highlighted serious failings in Advanced’s approach to information security before the incident, despite the measures installed on its corporate systems. “We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches,” he added.
The ICO is publicizing this provisional decision to inform other organizations and help them secure their systems to prevent similar incidents in the future. Edwards urged all organizations, especially those handling sensitive health data, to secure external connections with multi-factor authentication urgently.
Data processors like Advanced are required to implement appropriate technical and organizational measures to ensure the security of personal information. This includes assessing and mitigating risks, regularly checking for vulnerabilities, and maintaining up-to-date security patches.
