The Information Commissioner’s Office (ICO) has halved the fine imposed on NHS software provider Advanced Computer Software for data protection failures that opened it up to a cyber attack in 2022.
The regulator has announced that it is imposing a £3.07 million fine on the company for vulnerabilities leading to a ransomware attack that put the personal information of over 79,000 people at risk.
This compared with its provisional intention from August of last year to fine Advanced £6.09 million.
The reduction follows the company submitting representations highlighting its proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack, and other steps taken to mitigate the risk to those impacted.
This led to voluntary settlement on the new figure.
Shortcoming in MFA
The incident involved hackers accessing certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and leaving some healthcare staff unable to access patient records.
The ICO’s investigation concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the 2022 incident – including gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.
Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.
"People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.
“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”
The ICO added that it has produced detailed guidance on protecting systems from ransomware attacks, and on the responsibilities of data processors and controllers.
