NHS software provider fined £3m over data breach

The Information Commissioner’s Office (ICO) has fined an NHS software provider £3m due to security lapses that caused a ransomware attack on the NHS.

Data Breach Affects Thousands

The Advanced Computer Software Group, a company that provides IT and software services to various organizations, including the NHS, has faced a penalty for a data breach that exposed the personal information of 79,404 individuals. The breach occurred in August 2022, when hackers gained access to sensitive data, including patients’ phone numbers, medical records, and home entry details for 890 people receiving home care.

Lack of Security Measures Leads to Cyberattack

The attackers exploited a customer’s account that lacked sufficient security, particularly multi-factor authentication (MFA). The ICO’s investigation revealed that Advanced had failed to implement adequate security protocols at the time of the attack.

Disruption to NHS Services

The breach disrupted critical services, including NHS 111, and prevented healthcare staff from accessing patient records. Additionally, software used for patient check-ins faced issues, further increasing the strain on an already overburdened healthcare sector.

ICO’s Findings and Proactive Engagement

Initially, the ICO announced a provisional £6m fine for the incident. However, the watchdog reduced the fine to £3m after Advanced proactively engaged with police, cybersecurity services, and the NHS following the attack. The ICO’s investigation noted that although Advanced implemented MFA across many of its systems, the company had not applied it comprehensively to all accounts.

A Stark Reminder for Organizations

Information Commissioner John Edwards stated that the breach exposed significant security weaknesses in the company’s systems. He added, “There is no excuse for leaving any part of your system vulnerable.” The fine acts as a reminder for all organizations to ensure they implement robust security measures to protect sensitive data.