The UK Information Commissioner’s Office (ICO) has imposed a £3.07m fine on Advanced Computer Software Group (Advanced) following a ransomware attack in 2022 that compromised the personal data of 79,404 individuals, including NHS patients. The company provides IT and software services to national entities such as the NHS and other healthcare providers and is responsible for managing personal information on behalf of these organisations.
The fine is linked to a ransomware incident that occurred in August 2022, where hackers infiltrated the systems of Advanced’s health and care subsidiary through a customer account lacking multi-factor authentication (MFA). The cyberattack was reported to have disrupted essential services like NHS 111 and hindered healthcare staff from accessing patient records.
Investigation reveals security lapses in Advanced’s health and care systems
The ICO’s investigation revealed that the personal data of 79,404 individuals was compromised, including entry details for the homes of 890 individuals receiving home care. The ICO concluded that Advanced’s health and care subsidiary lacked the necessary technical and organisational measures to secure its systems before the 2022 breach. This included deficiencies in MFA deployment, insufficient vulnerability scanning, and inadequate patch management.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said Information Commissioner John Edwards. “While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”
“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable,” added Edwards.
In August 2024, the ICO initially proposed a £6.09m fine. Advanced responded to this provisional decision with representations, which the ICO reviewed thoroughly. Several points from these representations influenced the reduction of the fine, notably Advanced’s active collaboration with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS following the attack and measures taken to mitigate risks to affected individuals.
The ICO and Advanced have reached a voluntary settlement. Advanced has accepted the decision to impose a reduced fine and agreed to pay a final penalty of £3,076,320 without filing an appeal. “I welcome the settlement with Advanced, which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process,” said Edwards.
Read more: UK ICO slaps Advanced Computer Software with £6m fine for data breach
