The attackers gained entry through a customer account that lacked multi-factor authentication (MFA), a basic security measure that requires users to verify their identity through multiple steps
An NHS software provider has been fined EUR 3 million by the Information Commissioner’s Office (ICO) for security failures that led to a ransomware attack, putting the personal data of nearly 80,000 people at risk.
The Advanced Computer Software Group, which supplies IT and software services to the NHS and other healthcare providers, was found to have inadequate security measures in place before the cyberattack in August 2022. Hackers exploited these weaknesses to access patients’ phone numbers, medical records, and even entry details for the homes of 890 individuals receiving care at home.
Lack Of Security Measures Led To Breach
The attackers gained entry through a customer account that lacked multi-factor authentication (MFA), a basic security measure that requires users to verify their identity through multiple steps. This oversight allowed unauthorised access, exposing sensitive patient information.
The ICO’s investigation found that Advanced had not implemented sufficient security protections across all its systems, despite handling vast amounts of highly sensitive medical data. The ransomware attack severely disrupted NHS services, including NHS 111, and left healthcare staff unable to access critical patient records. It also impacted software used for patient check-ins, further straining an already pressured healthcare system.
ICO: Security Failures “Seriously Short” Of Expectations
Information Commissioner John Edwards criticised the company’s incomplete security coverage, saying it failed to meet the standards expected of an organisation processing such sensitive information.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” Edwards said.
He emphasised that the EUR 3 million fine should serve as a “stark reminder” for organisations to strengthen their security systems.
“There is no excuse for leaving any part of your system vulnerable,” he added.
Fine Reduced Following Company’s Cooperation
Initially, the ICO had proposed a EUR 6 million fine for the data breach. However, the amount was halved due to Advanced’s cooperation with authorities, including law enforcement, cybersecurity agencies, and the NHS in the aftermath of the attack.
Despite the reduced penalty, the case highlights the critical importance of cybersecurity in healthcare, where breaches can jeopardise patient safety and disrupt essential services. The ICO has urged all organisations handling sensitive data to review their security measures and ensure robust protections are in place to prevent similar incidents in the future.
