An NHS software provider has been fined £3m by the Information Commissioner’s Office (ICO) over security failings that led to a ransomware attack on the NHS.
The Advanced Computer Software Group was fined for a breach that put personal information of 79,404 people at risk, the UK’s data protection watchdog said.
The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information in its role as a data processor.
The breach took place in August 2022, when hackers gained access to patients’ phone numbers and medical records as well as details of how to gain entry to the homes of 890 people receiving care at home.
The unidentified hackers were able to gain access to the information by using a customer’s account that did not have sufficient protection in the form of multi-factor authentication.
The regulator’s investigation concluded that Advanced did not have appropriate security measures in place prior to the incident.
The cyberattack led to the disruption of critical services including NHS 111, and left some healthcare staff unable to access patient records.
Software used to facilitate patient check-ins was also impacted.
Last year, the regulator criticised Advanced over the incident, which placed “further strain” on a “sector already under pressure”.
While the company had installed multi-factor authentication across many of its systems, “the lack of complete coverage” was criticised by Information Commissioner John Edwards.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” Mr Edwards said.
He added the fine should serve as a “stark reminder” to organisations to ensure they have “robust security measures in place”.
“There is no excuse for leaving any part of your system vulnerable,” Mr Edwards added.
Last year, the ICO announced it intended to impose a provisional £6m fine on Advanced for the breach.
However, the watchdog said the sum had been halved because of the proactive engagement of Advanced with police, cyber security services and the NHS following the attack.
