Software provider facing £6m fine over ransomware attack that hit NHS services

7 August 2024, 00:04

A woman’s hand pressing keys of a laptop keyboard
NHS cyber attacks. Picture: PA

The Information Commissioner’s Office said it has provisionally decided to fine Advanced Computer Software Group over the incident.

The UK’s data protection watchdog said it has provisionally decided to fine a software provider just over £6 million over a 2022 ransomware attack that disrupted NHS and social care services.

The Information Commissioner’s Office (ICO) said it had provisionally found that Advanced Computer Software Group had failed to implement measures to protect the personal information of 82,946 people who were affected by the attack, which included some sensitive information.

The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information as part of its role as a data processor.

In August 2022, hackers accessed a number of the firm’s health and care systems via a customer account which did not have multi-factor authentication.

The attack led to disruption to critical services including NHS 111, and data taken included phone numbers and medical records, as well as details on how to gain entry to the homes of nearly 900 people receiving care at home.

“This incident shows just how important it is to prioritise information security,” Information Commissioner John Edwards said.

“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care.

“A sector already under pressure was put under further strain due to this incident.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.

“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.

“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

The ICO said its findings were provisional and no conclusion should yet be drawn on whether there had been a breach of data protection law.

The regulator said it would consider any representations from Advanced before making any final decision on the issue.

By Press Association

More Technology News

See more More Technology News

The technology giant said the growth of cloud computing and artificial intelligence was key to the increasing investment (Niall Carson/PA)

Amazon Web Services ‘to invest £8bn in UK over next five years’

The hands of a person on a laptop keyboard

Most people have no plan for digital assets upon death, Which? warns

Economic statement

Drawing down Apple tax billions will take months – Ireland’s finance minister

Sony's PlayStation 5 Pro console

Sony confirms PlayStation 5 Pro console will launch in November

A man looking under a car's bonnet

Apple brings iPhone breakdown assistance feature to the UK

Apple Showcase

How does the new iPhone 16 compare to its AI-powered rivals?

Apple logo on a glass building

Ireland ‘will respect’ ruling to claim 13bn euro from Apple in back taxes

Apple logo next to a map of Ireland displayed on an iPhone

Ireland must recover 13bn euro in taxes from Apple, court rules

The tech giant confirmed the new devices would go on sale on September 20 (Apple)

Apple unveils AI-powered iPhone 16 range

iPad advert backlash

Apple expected to unveil iPhone 16 range with new AI tools

Google homepage

Competition regulator objects to Google’s ad tech practices

A passenger waits for a Tube train at Westminster London Underground station

TfL restricts access to online services due to cyber attack

A purple Currys sign above a store entrance

Currys boosted by AI-curious customers as it takes 50% laptop market share

The Darktrace wesbite

Darktrace chief steps down ahead of £4.3bn private equity takeover

Charlotte Owen

Baroness Owen to introduce law change aimed at criminalising deepfake creation

Hands using computer with artificial intelligence app

UK signs first international treaty on artificial intelligence