A Birmingham-based software provider has been handed a £3 million fine for security failings that led to a ransomware attack on the NHS.
The Information Commissioner’s Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
Advanced provided the NHS with a range of patient management and health-related products, including Adastra, Caresys, Carenotes, Odyssey, Crosscare, Staffplan, and eFinancials.
But there were gaps in its use of multi-factor authentication (MFA), a lack of comprehensive vulnerability scanning, and inadequate patch management, according to the data protection watchdog.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said information commissioner John Edwards.
“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”
The hackers, believed to be the LockBit ransomware group, accessed certain systems of Advanced’s health and care subsidiary via a customer account that lacked MFA.
Personal information belonging to 79,404 people was taken in the attack, including details of how to gain entry into the properties of 890 people who were receiving care at home.
Emergency prescription services, ambulance dispatching systems, and the non-emergency 111 phone line were affected, with some healthcare staff unable to access patient records.
“People should never have to think twice about whether their medical records are in safe hands,” said Edwards.
“To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.”
The fine forms part of a voluntary settlement. And while very large, it’s less than Advanced might have been facing – the ICO warned last summer in its provisional findings that it planned to hit the company with a £6.09 million penalty.
What’s changed since then is the company’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS, and the steps it’s taken to mitigate the risk to those impacted by the attack.
However, the ICO said the fine sends a salutary message to other organizations that may be a bit slapdash about the security of personal data.
“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place,” said Edwards.
“I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”
