The UK’s data protection watchdog has announced a provisional £6m fine for a healthcare IT service provider, after ruling that cybersecurity failures led to a serious ransomware breach.
The Information Commissioner’s Office (ICO) revealed the £6.1m penalty for Advanced Computer Software Group this morning.
It relates to an August 2022 attack when the personal information of nearly 83,000 people was exfiltrated, including phone numbers and medical records, and details on how to gain physical entry to the homes of 890 people who were receiving care.
The ransomware breach also had a major knock-on impact on services, with NHS staff unable to access healthcare records and reports suggesting that it disrupted patient referrals, out-of-hours appointment bookings, emergency prescriptions and ambulance dispatches.
Read more on Advanced breach: Recovery From NHS Ransomware Attack May Take a Month.
Advanced runs several key systems for the health service, including clinical patient management software (Adastra), financial management software (eFinancials) and the NHS 111 medical advice line.
Information Commissioner John Edwards argued that a sector already under pressure was put under further strain due to the incident.
“For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” he added.
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
Edwards urged all organizations – “especially those handling sensitive health data” – to secure external connections with multifactor authentication (MFA).
It’s believed that a LockBit affiliate was able to reach Advanced’s corporate systems by hijacking an account that didn’t have MFA enabled, and then launching a Remote Desktop Protocol (RDP) session.
Lawyers for Advanced will now prepare a response, which they hope will help persuade the regulator to change its decision and/or reduce the fine.