IT services company Advanced faces £6m penalty over NHS data breach  

Advanced is under scrutiny after a ransomware attack in 2022 accessed systems via an account lacking multi-factor authentication.

Soumya Sharma August 08 2024

The UK's Information Commissioner’s Office (ICO) has provisionally decided to impose a £6.09m ($7.73m) fine on Advanced Computer Software Group, a provider of IT and software services to the NHS and other healthcare organisations. 

This breach potentially compromised the personal information of individuals, including sensitive health data.  

The incident, which occurred in August 2022, involved a ransomware attack that accessed systems via an account lacking multi-factor authentication. 

Since then, Advanced is under scrutiny for not implementing sufficient measures to safeguard personal data.  

As per the ICO's provisional findings, the data breach affected 82,946 people, with sensitive information being exfiltrated, including medical records, phone numbers, and access details to the homes of 890 individuals receiving care at home. 

In a statement on 7 August, ICO noted that the cyber-attack compromised data, while also disrupted critical NHS services, such as the NHS 111, and hindered healthcare staff from accessing patient records.  

Despite the severity of the breach, Advanced has reported no evidence of the data being published on the dark web, and all affected parties have been notified. 

ICO also said that its decision is not final.  

Advanced will have the opportunity to respond to the provisional findings, and the ICO will consider their representations before issuing a conclusive verdict.  

The final penalty amount is also subject to change.  

UK Information Commissioner John Edwards said: “For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.  

“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches. 

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

Uncover your next opportunity with expert reports

Steer your business strategy with key data and insights from our latest market research reports and company profiles. Not ready to buy? Start small by downloading a sample report first.

Newsletters by sectors

close

Sign up to the newsletter: In Brief

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

close