The software provider Advanced Computer Software Group Ltd could have to pay a £6.09m ($7.7m) fine after failing to implement measures to protect the personal information of 82,946 people.
The provisional decision was issued by the Information Commissioner’s Office (ICO), and relates to a ransomware attack in 2022.
During the attack, hackers were able to access a number of the company’s health and care systems via a customer account that did not have multi-factor authentication.
“Not only was personal information compromised … this incident caused disruption to some health services, disrupting their ability to deliver patient care.”
John Edwards, UK Information Commissioner
“This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” said John Edwards, UK Information Commissioner.
Sensitive information
The hackers got hold of some sensitive personal information, including phone numbers and medical records, and details of how to gain entry to the homes of 890 people that were receiving care at home. The attack also resulted in disruption to critical services such as NHS 111, and other healthcare staff were unable to access patient records.
“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident,” Edwards added.
Edwards said that he published this provisional decision to help other organizations avoid the same incident. Even though data processors, such as Advanced Computer Software Group, act on the instructions of their clients, data controllers must still implement their own measures to keep personal information, he stresses.
“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
The ICO will review any representations from the company before making a final decision, where the fine amount is also subject to change.