British company Advanced fined £3m by privacy regulator over ransomware attack

Advanced, a business that provides IT services to numerous healthcare providers in the United Kingdom, has been fined £3.1 million (about $4 million) by the country’s privacy regulator over a ransomware attack in 2022.

The company had initially faced a fine of £6 million before coming to a voluntary settlement with the Information Commissioner’s Office (ICO) which announced on Thursday that the company’s security failings “put the personal information of 79,404 people at risk.” 

Under both the European Union and United Kingdom’s data protection laws, organizations controlling and processing personal data are required to protect that data and can face investigations and fines from regulators in the wake of an incident.

It is rare for the ICO to issue fines in ransomware cases, and this penalty has been imposed more than two years after the incident itself occurred. As previously reported by Recorded Future News, despite ransomware data breaches reaching record high levels across the United Kingdom, the number of incidents being investigated by the ICO is dwindling to record lows, raising questions about the regulator’s capacity and approach to the problem.

The ransomware attack on Advanced in August 2022, suspected to have been conducted by the LockBit group, followed hackers accessing systems operated by one of Advanced’s subsidiaries via a customer account that did not have multi-factor authentication enabled.

It caused enormous disruption across the United Kingdom, including taking down the NHS 111 critical service used to triage non-emergency but urgent medical calls. Doctors, nurses and other staff were forced to resort to pen and paper to complete their jobs due to the impact on IT systems — provoking a crisis management COBR meeting in the British government as officials feared the impact the attack could have on patient care.

The ICO said its investigation into the data breach “found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.”

John Edwards, the Information Commissioner, said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

His comments followed a series of ransomware incidents affecting the healthcare sector last year, including one in which every single household in the Scottish region of Dumfries and Galloway received a letter warning residents that their data was likely to have been accessed by cybercriminals and published online following a ransomware attack.

Another ransomware incident affecting a pathology company led to a critical incident being declared across several hospitals in London. The disruption has to-date caused the postponement of more than 5,000 acute outpatient appointments, including hundreds of operations for cancer treatments.

Data on more than 900,000 individuals was subsequently published online by the cyber extortion group behind the attack, according to an analysis of the data reported by Recorded Future News.

Neither NHS England nor the directly impacted pathology service provider Synnovis — both of whom are legally responsible for protecting patients’ information — have provided their own counts of people impacted by the cyberattack. 

The Information Commissioner said on Thursday: “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

The British government has pledged to introduce a new Cyber Security and Resilience Bill to parliament this year to address the growing disruption caused by cyberattacks. As the government describes the bill, it will expand existing laws to cover more digital services and supply chains and increase mandatory incident reporting.

Earlier this year, the government proposed a major overhaul of how the country responds to ransomware attacks, including by banning public sector bodies from making extortion payments and requiring all victims to report incidents to the government.