The Information Commissioner’s Office have confirmed that software provider Advanced Computer Software Group Ltd (Advanced) have been fined £3 million over security failings that in 2022, led to a ransomware attack that disrupted critical NHS services and compromised the personal data of roughly 80 thousand patients.
The data compromised included patient phone numbers and medical records, as well as information on how to gain entry to homes of 890 people who were receiving care at home. In addition to this, the ransomware attack disrupted vital NHS and 111 services and left some staff unable to access patient records.
The Information Commissioner’s investigation concluded that the impacted Advanced subsidiary failed to have the necessary security measures in place prior to this incident. This included a lack of comprehensive vulnerability scanning and patch management and gaps in deployment of multi-factor authentication, which is what was exploited to gain access to the systems.
In August 2024, Advanced was provisionally fined £6.09 million, though, following proactive engagement with bodies such as the National Cyber Security Centre, the National Crime Agency and the NHS to mitigate the risk to those involved, a settlement has been met with an agreed final penalty of just over £3 million.
What learnings can be taken from this:
While the final penalty is only half of what was provisionally imposed, this demonstrates the importance of ensuring the appropriate safeguards are put in place for the data that an organisation stores and processes. Much of the data compromised was special category data, which is personal data that requires additional safeguards due to its sensitive nature. Personal data such as medical records or instructions on how to gain access to the home of a vulnerable individual is more likely to cause significant issues if accessed by unauthorised individuals. The severity of the action taken reflects this.
The most valuable lesson that should be taken from this is the importance of ensuring that your organisation has implemented the necessary security measures to protect any personal data that you store and/or process. Measures such as multi-factor authentication and access control are usually quick and easy to implement and make it significantly harder for unauthorised individuals (such as hackers) to access personal data. Many commonly used services such as Microsoft Office and most well known CRM systems have multi-factor authentication capabilities. It’s a good first step to investigate the potential of enabling this to keep personal data secure.
Another lesson to take from this is the value of having a comprehensive breach response procedure. In this instance, Advanced were able to convince the ICO to cut £3 million off their penalty, mainly through demonstrating their willingness to proactively engage with the investigation and take all necessary steps to rectify the damaged caused by the incident. Having a strong breach response procedure will allow an organisation to correctly respond to an incident without undue delay and take all necessary steps to ensure that a similar incident is never able to happen again.
If a data breach happens, you need to act fact. Take a look at our Data Breach Management page to see what PRIVACY HELPER can do to assist.
