A software vendor faces a fine of more than £6 million over a 2022 ransomware attack that disrupted NHS and social care services in England, the data protection watchdog has announced.
The Information Commissioner’s Office (ICO) said it had provisionally determined that Advanced Computer Software Group had failed to implement measures to protect the personal information of 82,946 people affected by the attack, including sensitive information.
The company provides IT and software services to organisations across the country, including the NHS and other healthcare providers, and processes information as part of its role as a data processor.
In August 2022, hackers gained access to the company’s health and care systems through a customer account that lacked multi-factor authentication.
The attack disrupted vital services including NHS 111. Data was stolen including phone numbers and medical records, as well as information on how to access the homes of almost 900 people receiving care at home.
An internal NHS England memo leaked to the Guardian at the time revealed that “a number of NHS services, including NHS 111, some urgent care centres and some mental health providers are using software that has been taken offline”. It added: “This poses a significant challenge to these services.”
Information Commissioner John Edwards said the incident highlighted the importance of prioritising information security.
He said: “The loss of control over sensitive personal information will be painful for people who had no choice but to place their trust in health and care organisations.
“Not only has personal information been compromised, but we have also seen reports that this incident has led to disruption to a number of health services, affecting their ability to deliver patient care.
“A sector that was already under pressure has come under even further pressure due to this incident.”
Edwards said he hoped the fine would prompt companies to take swift action to better protect their private data.
He said: “For an organisation familiar with processing a significant amount of sensitive and special category data, we have provisionally found serious deficiencies in its information security approach prior to this incident.
“Despite the fact that measures have already been taken on the company systems, we are currently of the opinion that Advanced has failed to ensure the security of its care systems.
“We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches.
“I am choosing to announce this interim decision today because I have a duty to ensure that other organizations have information that can help them secure their systems and prevent similar incidents in the future.
“I call on all organizations, especially those processing sensitive health data, to urgently secure external connections with multi-factor authentication.”
The ICO said the findings are preliminary and no conclusion can yet be drawn as to whether there has been a breach of data protection law.
The regulator said it would consider any objections raised by Advanced before making a final decision on the matter.