Photo: StepanPopov / Shutterstock.com
The UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has provisionally decided to fine Advanced Computer Software Group Ltd £6.09m. The fine follows an initial finding that the service provider did not implement proper security measures to protect the personal information of 82,946 people.
Advanced Computer is one of the biggest IT providers in the country, with customers including the NHS and several other healthcare providers. Due to the nature of the company’s business, it routinely processes people’s personal information on behalf of said healthcare organisations.
The fine is being issued in relation to a ransomware incident from August 2022. The ICO found that hackers could access several Advanced’s health and care systems via a customer account that did not have multi-factor authentication. The resulting attack crippled the NHS, causing disruptions to the NHS111 service and leaving healthcare staff unable to access patient records.
Data extracted from the attack included phone numbers, medical records, and information on how to gain access to the homes of the 890 people receiving care at home at the time. Users affected by the breach have been notified, and the announcement claims that Advanced found “no evidence that any data was published on the dark web.”
That said, the commissioner’s findings are provisional, and no conclusion can be drawn regarding whether there has been a breach of data protection or law or if a financial penalty will be implemented. Even if a fine is imposed, the amount is also subject to change.
John Edwards, UK Information Commissioner, said he’s publicising the decision to “ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.” Edwards went on to urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.
In the News: Android banking trojan found masquerading as CRM app