A Birmingham-based software provider has been handed a £3 million fine for security failings that led to a ransomware attack on the NHS.
The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
Advanced provided the NHS with a range of patient management and health-related products, including Adastra, Caresys, Carenotes, Odyssey, Crosscare, Staffplan, and eFinancials.
But there were gaps in its use of multi-factor authentication (MFA), a lack of comprehensive vulnerability scanning, and inadequate patch management, according to the data protection watchdog.
"The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information," said information commissioner John Edwards.
"While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk."
The hackers, believed to be the LockBit ransomware group, accessed certain systems of Advanced’s health and care subsidiary via a customer account that lacked MFA.
Personal information belonging to 79,404 people was taken in the attack, including details of how to gain entry into the properties of 890 people who were receiving care at home.
Emergency prescription services, ambulance dispatching systems, and the non-emergency 111 phone line were affected, with some healthcare staff unable to access patient records.
"People should never have to think twice about whether their medical records are in safe hands," said Edwards.
"To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it."
The fine forms part of a voluntary settlement. And while very large, it's less than Advanced might have been facing - the ICO warned last summer in its provisional findings that it planned to hit the company with a £6.09 million penalty.
What's changed since then is the company's proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS, and the steps it's taken to mitigate the risk to those impacted by the attack.
However, the ICO said the fine sends a salutary message to other organizations that may be a bit slapdash about the security of personal data.
"With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place," said Edwards.
"I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable."
MORE FROM ITPRO
- More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
- Cyber attacks on healthcare organizations are surging
- Healthcare organizations need to shake up email security practices
-
Geekom Mini IT13 ReviewReviews It may only be a mild update for the Mini IT13, but a more potent CPU has made a good mini PC just that little bit better
-
Why AI researchers are turning to nature for inspirationIn-depth From ant colonies to neural networks, researchers are looking to nature to build more efficient, adaptable, and resilient systems
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
Cyber attack delayed cancer treatment at NHS hospitalNews A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
UK businesses patchy at complying with data privacy rulesNews Companies need clear and well-defined data privacy strategies
-
GDPR fines might’ve dipped last year, but don’t get complacent – personal liability risks are risingNews A decrease in big GDPR fines doesn’t mean it’s plane sailing for enterprises in 2025
-
Four years on, how's UK GDPR holding up?News While some SMBs are struggling, most have stepped up to the mark in terms of data governance policies
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway serviceNews Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
-
Major incident declared as Merseyside hospitals hit by cyber attackNews The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
