Software provider facing £6m fine over ransomware attack that hit NHS services
The Information Commissioner’s Office said it has provisionally decided to fine Advanced Computer Software Group over the incident.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.The UK’s data protection watchdog said it has provisionally decided to fine a software provider just over £6 million over a 2022 ransomware attack that disrupted NHS and social care services.
The Information Commissioner’s Office (ICO) said it had provisionally found that Advanced Computer Software Group had failed to implement measures to protect the personal information of 82,946 people who were affected by the attack, which included some sensitive information.
The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information as part of its role as a data processor.
Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations
In August 2022, hackers accessed a number of the firm’s health and care systems via a customer account which did not have multi-factor authentication.
The attack led to disruption to critical services including NHS 111, and data taken included phone numbers and medical records, as well as details on how to gain entry to the homes of nearly 900 people receiving care at home.
“This incident shows just how important it is to prioritise information security,” Information Commissioner John Edwards said.
“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care.
“A sector already under pressure was put under further strain due to this incident.
“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.
I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future
“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.
“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
The ICO said its findings were provisional and no conclusion should yet be drawn on whether there had been a breach of data protection law.
The regulator said it would consider any representations from Advanced before making any final decision on the issue.