NHS Software Supplier faces £6 million fine over Ransomware failings

Date: 8 August 2024

Featured Image

NHS software provider Advanced Computer Software Group is facing a substantial fine of over £6 million following a significant ransomware attack in 2022. The incident, which occurred in August 2022, exposed the personal data of nearly 83,000 individuals.

The Information Commissioner’s Office (ICO) has provisionally concluded that Advanced failed to implement adequate measures to protect the personal data it was entrusted with. 

As a principal IT provider for the NHS and other healthcare entities in England, Advanced Computer Software Group was obligated to adhere to rigorous data protection standards as a data processor. The ICO's inquiry revealed that these standards were insufficiently implemented, creating a significant vulnerability that was exploited by cybercriminals.

The ICO's decision to impose a hefty fine aims to serve as a deterrent and a wake-up call for organisations handling sensitive data. Information Commissioner John Edwards emphasised the distress caused to individuals whose data was compromised and the necessity for organisations to prioritise cybersecurity. 

Edwards also said that his office decided to publicise the provisional decision to “urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.” 

Based in Birmingham, Advanced is owned by investment firms Vista Equity Partners and BC Partners (50% each). The final penalty amount will be determined based on Advanced's response. The company will have the chance to challenge the ICO’s conclusions before the fine is officially imposed. 

Topics Covered Here: 
1.  A Recap of the 2022 Ransomware Attack that Impacted the NHS
2. NHS and Third-Party Security
3. How to Protect Against Ransomware Disruptions

New call-to-action

What Happened in the NHS Disruption in 2022? 

The ransomware attack on Advanced exploited a vulnerability in its systems that allowed hackers to access a customer account lacking multi-factor authentication (MFA). Multi-factor authentication is a basic yet essential security measure. This breach, caused by missing MFA, not only exposed sensitive data but also disrupted healthcare services, which can have dire consequences for patient care and safety. 

Overnight, the cyber criminals managed to infiltrate crucial health and care services infrastructure. The ransomware attack on Advanced resulted in severe disruptions across NHS services.  This led to significant operational challenges. 

Here are some key points on the Advanced 2022 ransomware attack:

  • Phone numbers and medical information of 82,946 people were stolen. 

  • The information also contained details on accessing the properties of 890 people receiving home care. 

  • The attack forced NHS staff to turn to pen and paper to continue providing healthcare services.

  • Critical functions such as NHS 111, ambulance dispatch systems, and out-of-hours appointment scheduling were compromised.

  • There is no evidence that the stolen data has been published on the regular or dark web.

  • Advanced did not make any comments on whether it made an extortion payment or not. 

 

NHS Synnovis banner

A Warning Call for NHS Third-Party Security 

The news of the ICO’s provisional decision to fine Advanced has brought to light the struggles of the NHS with its third-party service providers. The announcement comes only a few months after the NHS suffered a level-three critical incident due to a cyber attack on its pathology service provider, Synnovis. 

Till date, the ransomware attack on Synnovis has postponed more than 5,000 acute outpatient appointments. This includes hundreds of operations for cancer treatments.

Cybersecurity experts are now highlighting the need for tighter Supply Chain security at the NHS and medical institutions worldwide. 

Director of critical infrastructure at Illumio, Trevor Dearing, said the fine serves as "a wakeup call" to all suppliers to fortify their cybersecurity infrastructure.

He said, as per Computing.co.uk,  "Supply chain security remains a significant challenge within the NHS as shown by the recent Synnovis cyber attack. In fact, when we reached out to 213 NHS Trusts under the Freedom of Information Act 2000 in July 2023, more than a quarter of Trusts had not conducted audits on their third-party suppliers' cybersecurity measures."

Get detailed insights into the NHS disruption this year in our Synnovis and NHS Ransomware Attack Timeline.  

(Back to Top)

New call-to-action

What Can You Do to Avoid Hefty Regulatory Fines? 

The breach at Advanced and the subsequent news about the regulatory fine has once again  highlighted critical shortcomings in cybersecurity measures, particularly in the healthcare space. It has underscored the urgent need for robust ransomware protection and cyber incident response training

It also brings the conversation back to cybersecurity basics. Something as rudimentary as MFA, which all organisations must implement, can cost you millions of pounds. It is imperative to practise good cybersecurity hygiene. It is also critical to train your staff in cyber incident response and allow them practice for handling real-world incidents with cyber attack tabletop exercises

Proper training can equip organisations to handle cyber threats more effectively, minimising the risk of data breaches and operational disruptions. The lack of preparedness and insufficient security protocols at Advanced significantly contributed to the severity of the attack and the subsequent fine. 

Organisations must understand that without adequate ransomware protection and incident response training, their ability to withstand cyber attacks is severely compromised. 

New call-to-action

Conclusion

As the investigation into Advanced unfolds and the fine is finalised, stakeholders in the healthcare and data protection sectors will keenly observe the results. The cybersecurity community will also have all eyes on the steps Advanced takes to regain trust and bolster its security protocols. 

Ultimately, the £6 million fine levied against Advanced Computer Software Group serves as a stark reminder of the vulnerabilities that exist within healthcare IT systems. It also underlines the devastating impact of ransomware attacks. Organisations must prioritise Ransomware mitigation measures and sensitive data protection to secure their finances and their business reputation. There’s simply no other choice today. 

(Back to Top)

Show comments

Related posts

October 2024: Biggest Cyber Attacks, Data Breaches, Ransomware Attacks

1 November 2024

October 2024: Biggest Cyber Attacks, Data Breaches, Ransomware Attacks
September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks

1 October 2024

September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks
Elevating IT Security with Customer Authentication in Call Centres

24 September 2024

Elevating IT Security with Customer Authentication in Call Centres
Optimizing Geotargeting and Localizing Content for Websites

11 September 2024

Optimizing Geotargeting and Localizing Content for Websites
Footer Top Background Image
Simply fill in your details to request a FREE callback