NHS IT firm faces £6m fine over medical records hack

A software provider is facing a potential £6m fine following a 2022 ransomware attack that disrupted NHS and social care services across England.

The Information Commissioner’s Office (ICO) has provisionally concluded that Advanced Computer Software Group did not implement adequate measures to protect the personal data of 82,946 people affected by the breach, which included sensitive information.

Advanced provides IT and software services to various organisations, including the NHS and other healthcare providers, and acts as a data processor. In August 2022, hackers gained access to the company’s healthcare systems through a customer account that lacked multi-factor authentication.

The cyber attack caused major disruption to vital services such as NHS 111, with data stolen including phone numbers, medical records and details of how to access the homes of nearly 900 people receiving home care.

A leaked internal NHS England memo has revealed that the attack affected many of the NHS’s services, including urgent care centres and mental health providers, by taking essential software offline, posing a major challenge to these services.

Information Commissioner John Edwards stressed the importance of prioritising information security: “Losing control of sensitive personal information will be devastating for people who have had no choice but to place their trust in healthcare organisations. Not only has personal information been compromised, but we have also seen reports that this incident has caused disruption to some health services, disrupting their ability to provide care to patients.”

Edwards said he hoped the fine would prompt companies to urgently improve their data protection procedures. “For an organisation trusted to handle a large volume of sensitive and private data, we have found some serious failings in their approach to information security prior to this incident,” he said. “We expect all organisations to take basic steps to secure their systems, such as regularly scanning for vulnerabilities, implementing multi-factor authentication and updating systems with the latest security patches.”

The ICO results are provisional, and the regulator will consider any statements from Advanced before reaching a final decision.

facesfineFirmHackmedicalNHSRecords