Watchdog Fines NHS IT Firm £6M Following Hack

The Information Commissioner’s Office (ICO) has provisionally imposed a £6m fine on an NHS software provider due to a data breach that affected more than 80,000 individuals.

The breach, which occurred in 2022, involved sensitive personal information, including medical records and details on “how to gain entry to the homes of 890 people.”

The ICO clarified that the fine is provisional, pending a response from Advanced Computer Software Group before a final decision is made.

Initial findings suggest that personal information belonging to 82,946 people was “exfiltrated” by hackers.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care,” said John Edwards, the Information Commissioner. “A sector already under pressure was put under further strain due to this incident.”

The ICO also confirmed that individuals affected by the hack have been notified, and Advanced has not found any evidence that the compromised information was leaked on the dark web.

Criminal hackers took seven of Advanced’s health systems offline, including software used for patient check-ins, medical notes, and the NHS 111 service.

At the time, doctors told the BBC that it might take months to process the backlog of medical paperwork caused by the cyber-attack, forcing some GP services to revert to pen and paper instead of electronic systems.

The hackers exploited a customer’s account that lacked sufficient protection to gain access to the information. However, the ICO believes Advanced should have implemented measures to guard against this vulnerability.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future,” said Mr Edwards. “I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

Lauren Wills-Dixon, solicitor and head of privacy at law firm Gordons, echoed this sentiment.

“The scale of this potential ICO enforcement is another reminder to any organisation, particularly those processing special category or ‘sensitive’ data on behalf of customers (such as health data) which is given special protection under data protection laws, that they must have robust security measures in place to protect their systems and data,” she told the BBC.

“Such measures would typically include investing in appropriate technical and organisational measures, implementing robust IT infrastructure and monitoring/detection, developing effective policies, procedures and training, as well as creating, maintaining and testing a business continuity and disaster recovery plan.”