The UK’s Information Commissioner’s Office (ICO) has provisionally decided to impose a £6.09m ($7.73m) fine on Advanced Computer Software Group, a provider of IT and software services to the NHS and other healthcare organisations.
This breach potentially compromised the personal information of individuals, including sensitive health data.
The incident, which occurred in August 2022, involved a ransomware attack that accessed systems via an account lacking multi-factor authentication.
Since then, Advanced is under scrutiny for not implementing sufficient measures to safeguard personal data.
As per the ICO’s provisional findings, the data breach affected 82,946 people, with sensitive information being exfiltrated, including medical records, phone numbers, and access details to the homes of 890 individuals receiving care at home.
In a statement on 7 August, ICO noted that the cyber-attack compromised data, while also disrupted critical NHS services, such as the NHS 111, and hindered healthcare staff from accessing patient records.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataDespite the severity of the breach, Advanced has reported no evidence of the data being published on the dark web, and all affected parties have been notified.
ICO also said that its decision is not final.
Advanced will have the opportunity to respond to the provisional findings, and the ICO will consider their representations before issuing a conclusive verdict.
The final penalty amount is also subject to change.
UK Information Commissioner John Edwards said: “For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.
“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”