NHS Software Provider Facing £6M Fine Over Ransomware Attack
An IT and software services provider in the United Kingdom is facing a £6.09 million ($7.74 million) financial penalty over an August 2022 ransomware attack that disrupted the National Health Service (NHS) and other healthcare and social care services in England. The UK’s data watchdog, the Information Commissioners Office (ICO), investigated the attack and has disclosed the provisional findings of the investigation and the proposed financial penalty.
Advanced Computer Software Group, which provides IT and software services to the NHS and other organizations in the UK, was determined to have failed to implement sufficient measures to protect the personal information of 82,946 patients, whose data was stolen in the ransomware attack. The stolen data included names, contact information, and medical records. Almost 900 of the affected individuals were receiving healthcare services at home and had given their providers information about how to access their properties, and that information was also stolen in the attack.
The attack caused considerable disruption, including to the NHS 111 telephone service where individuals call for advice on urgent medical matters. Software solutions provided by the company were taken offline as a result of the attack, and healthcare staff were prevented from accessing patient records, affecting their ability to deliver care.
As was the case with the ransomware attack on Change Healthcare in February 2024, the ransomware group was able to gain access to internal systems via an account that did not have multi-factor authentication implemented. The lack of multifactor authentication was exploited, and the hackers gained access to several Advanced systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure,” said John Edwards, UK Information Commissioner. “We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches.”
This is only a provisional finding by the ICO and Advanced Computer Software will have the opportunity to respond, and the decision to impose a penalty does not necessarily mean that any data protection laws have been violated or that a financial penalty will be imposed when the ICO makes its final decision. The decision to publicize the provisional findings of the investigation was taken to ensure that other organizations are warned about the measures they need to implement to avoid similar incidents in the future, including ensuring that multifactor authentication is implemented on all external connections.
