Advanced Computer Software Group Ltd, a national IT and software service provider including the NHS and other healthcare providers, is facing a potential fine of £6.09m. This is due to an investigation from the Information Commissioner’s Office (ICO) that found Advanced failed to safeguard the personal information of 82,946 people from hackers following a ransomware attack in August 2022.
Hackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. The ICO has provisionally found that sensitive personal information belonging to this number of people had been exfiltrated. The cyber attack caused widespread disruption to critical services such as NHS 111, and other healthcare staff could not access patient records. The data exfiltrated included phone numbers, medical records, and details of how to gain entry to people’s homes. The people involved have already been notified, and no evidence was found that any data was published on the dark web.
The fine has not been confirmed, and the Commissioner will consider leading up to the final decision and changes to the fine amount. John Edwards, UK Information Commissioner, emphasized the importance of prioritizing information security, as losing control of sensitive personal information would cause distress among those with no choice but to place their trust in health and care organizations. The incident caused disruption and further strain on people under pressure to provide services under already challenging conditions.
Advanced failed to keep its healthcare systems secure despite already installing measures on its corporate systems. All organizations should prioritize information technology security, taking fundamental steps to secure their systems, regularly checking for vulnerabilities and implementing multi-factor authentication while keeping systems up to date with the latest security patches. Edwards urged all organizations, especially those handling sensitive health information, to secure external connections with multi-factor authentication.
Data processors have obligations to implement appropriate technical and organizational measures to ensure personal information is safe, including regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches. While Advanced was acting as a data processor, they still have their own responsibilities to keep personal information secure.
