NHS software provider faces steep fine after 2022 data breach exposed sensitive patient info

Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
(Image credit: Getty Images)

A leading NHS software provider could face a sizable fine after falling victim to a cyber attack which impacted more than 80,000 people. 

Advanced Computer Software Group, which provides IT services for the health service, fell victim to a ransomware attack in August 2022. 

During the incident, threat actors were able to access a number of Advanced’s health and care systems through a customer account that lacked multi-factor authentication (MFA).

Following a lengthy investigation, the UK’s Information Commissioner’s Office (ICO) has issued a provisional fine of £6 million for the company’s failure to adequately protect users.

"This incident shows just how important it is to prioritize information security,” said information commissioner John Edwards. “Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations.”

"Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident."

Edwards said the ICO's provisional decision was that Advanced showed 'serious failings' in its approach to security.

Data stolen during the attack included phone numbers and medical records, as well as details of how to gain entry to the premises of 890 people who were receiving care at home.

Meanwhile, critical services such as NHS 111 were disrupted and healthcare staff were unable to access patient records.

The attack was attributed to the LockBit ransomware group, which was taken down by the UK’s National Crime Agency (NCA) earlier this year. The stolen data doesn't appear to have been published on the dark web.

The ICO confirmed it will wait to hear Advanced's response before confirming the fine, and noted that the company notified all those affected.

RELATED WHITEPAPER

Data processors such as Advanced are required to put in place appropriate technical and organizational measures to make sure that personal information is kept secure.

This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

"We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches," he said.

"I am choosing to publicize this provisional decision today as it is my duty to ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication."

According to research from Illumio, many healthcare organizations in the UK are failing to implement strong enough security controls.

"Supply chain security remains a significant challenge within the NHS as shown by the recent Synnovis cyberattack," said the company's director of critical infrastructure Trevor Dearing.

"In fact, when we reached out to 213 NHS Trusts under the Freedom of Information Act 2000 in July 2023, more than a quarter of Trusts had not conducted audits on their third-party suppliers’ cybersecurity measures. Organizations should mitigate the risk posed by the supply chain by building a plan that focuses on containing an attack."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.