NHS software provider faces £6m fine after hackers steal tens of thousands of medical records

The data protection watchdog has issued a provisional ruling holding software company Advanced responsible for “serious failings” after a cyberattack led to the theft of sensitive patient data and disrupted NHS services.

Advanced, a major IT provider for the NHS, is facing a potential fine of just over £6 million due to shortcomings that resulted in the breach, which occurred on 4 August 2022. The Information Commissioner’s Office (ICO) has been investigating the incident, which affected systems critical to the health service, including those used for dispatching ambulances, booking out-of-hours appointments, and issuing emergency prescriptions.

In its provisional findings, the ICO stated that Advanced violated data protection laws by failing to adequately secure the personal information of 82,946 individuals. Hackers were able to carry out a ransomware attack by exploiting an account within Advanced’s systems that lacked multi-factor authentication (MFA), a security measure that typically prevents unauthorized access even if passwords are compromised.

The stolen data included highly sensitive details such as phone numbers, medical records, and entry instructions for the homes of 890 individuals receiving care. The cyberattack caused significant disruption, impacting essential services like NHS 111 and leaving healthcare staff unable to access patient records.

Those affected by the breach have been notified, and there is no indication that any of the stolen data has been published on the dark web.

The ICO has tentatively decided to impose a £6.09 million fine, though the final decision and any associated penalties will depend on Advanced’s response to the ruling.

John Edwards, the UK Information Commissioner, commented: “This incident not only compromised personal information but also reportedly disrupted vital health services. For an organization entrusted with handling large amounts of sensitive and special category data, we have provisionally identified serious shortcomings in its information security practices.”

Following the breach, Advanced confirmed that patient information was copied from its systems before being encrypted by the attackers. Ransomware attacks like this typically involve encrypting victims’ data and demanding payment for its release.

Source

Control F5 Team
Blog Editor
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

READY TO DO THIS
Let’s build something together