In 2022, a ransomware attack on Advanced Computer Software Group Ltd exposed the sensitive data of 79,404 people, including NHS patients. The cyberattack caused significant service outages, including disruptions to NHS services like the 111 emergency line. The company provided crucial patient management products to the NHS, including software for health-related services. The breach, attributed to the LockBit ransomware group, occurred after hackers exploited compromised credentials to gain access to Advanced’s systems.
Following the attack, the UK Information Commissioner’s Office (ICO) imposed a £3.07 million fine on Advanced for failing to secure sensitive data.
The ICO found the company had insufficient security measures to prevent the breach, citing issues like poor vulnerability scanning, patch management, and inadequate multi-factor authentication (MFA) coverage. These security lapses allowed the ransomware group to infiltrate the system and steal personal information.
Despite some security measures, Advanced’s failure to apply universal MFA left its systems vulnerable.
The ICO’s fine reflects concerns about Advanced’s lack of comprehensive security precautions, which exposed personal data and caused significant disruptions in NHS operations. The breach underscored the risks associated with handling sensitive health information, particularly when appropriate safeguards are missing. Information Commissioner John Edwards emphasized that the company’s security measures were below expectations for an organization managing such sensitive data.
The fine imposed is lower than the initial £6.09 million previously considered by the ICO in 2024. This is the first instance where a data processor, rather than a data controller, has been fined in the UK for a breach of data protection law. The case is significant for the wider implications it has on data security standards for service providers working with sensitive health information.
Reference:
