Rules Navigator

Security failings lead to £3m fine for healthcare software provider

NHS Ambulance Service Vehicles.
Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Advanced Computer Software Group fined by the ICO in connection with an incident that disrupted critical services including the NHS 111 line.

Failings leading to a ransomware attack that compromised the personal information of over 79,000 people and disrupted emergency services, including many in care homes, have resulted in a £3m (£$3.9m) fine for Advanced Computer Software Group (Advanced).

The company was found to have failed to fully implement security measures such as multi-factor identification (MFA) before the attack, which occurred in 2022.

Advanced provides IT and software services to healthcare organizations, including the NHS, and holds and processes personal information for them. According to the ICO press release the systems of a subsidiary of the company were accessed by hackers who utilized a customer account that did not have MFA enabled.

The ICO decision follows on a provisional decision released in August 2024 and provides some more detail of the breach.

Systems not secure

The subsidiary had not put in place “appropriate technical and organisational measures” that would have ensured that its systems were fully secure. Issues identified during the ICO’s investigation included:

  • gaps in the deployment of MFA;
  • a lack of comprehensive vulnerability scanning; and
  • inadequate patch management.

According to information commissioner John Edwards these security measures “fell seriously short” of the regulator’s expectations of “an organisation processing such a large volume of sensitive information.”

The resulting breach, in addition to disrupting critical services such as the emergency 111 line, put the personal information of 79,404 people at risk. That information included details of “how to gain entry into the homes of 890 people who were receiving care at home.”

Advanced has agreed to a voluntary settlement. It has acknowledged the ICO decision and will not to appeal this. As a result the ICO has reduced the original penalty of £6.09m ($7.89m) to £3,076,320 ($3,985,972).

Edwards emphasized the need for other organizations to bolster their security saying that because cyber incidents were increasing across all sectors organizations “without robust security measures in place” simply risked “becoming the next target”.

, , , , , , , ,

You may also like