An NHS software provider has been fined £3 million by the Information Commissioner’s Office (ICO) due to security failings that led to a ransomware attack affecting the NHS.
The Advanced Computer Software Group faced the penalty after a data breach exposed personal information of 79,404 people, according to the UK’s data protection watchdog.
The company supplies IT and software services to various organisations, including the NHS and other healthcare providers, handling sensitive data as a data processor.
The breach occurred in August 2022, when hackers accessed patient phone numbers, medical records, and details on how to enter the homes of 890 individuals receiving care.
Hackers gained access through a customer account that lacked proper security measures, including multi-factor authentication.
The investigation by the ICO found that Advanced had failed to implement appropriate security protections before the attack.
As a result of the cyberattack, critical NHS services, including NHS 111, were disrupted, and healthcare staff were left unable to access patient records. Software used for patient check-ins was also affected.
The regulator previously criticised Advanced, stating that the attack placed additional strain on an already pressured healthcare system. While the company had introduced multi-factor authentication on many systems, gaps in security left vulnerabilities open to exploitation.
The ICO stressed that the security shortcomings at Advanced fell significantly below the expected standards for an organisation managing such a large volume of sensitive information.
The watchdog also emphasised that all organisations must ensure robust security measures are in place to prevent similar breaches.
Initially, the ICO proposed a £6 million fine for Advanced. However, the penalty was reduced to £3 million due to the company’s cooperation with law enforcement, cybersecurity experts, and the NHS following the attack.
