NHS software supplier Advanced faces £6m fine over ransomware attack failings

The company hit by a ransomware attack that disrupted Britain’s National Health Service (NHS) back in August 2022 is facing a data protection fine of over £6 million ($7.6 million) for failing to protect the personal information of tens of thousands of people.

Advanced, a company providing IT services to numerous healthcare providers in the United Kingdom, allowed hackers to steal “phone numbers and medical records” belonging to 82,946 people, according to the UK’s Information Commissioner’s Office (ICO).

Announcing its provisional decision on Wednesday to fine the company £6.09 million, the ICO said the ransomware group also exfiltrated “details of how to gain entry to the homes of 890 people who were receiving care at home.”

The hackers, reportedly part of the LockBit scheme, were initially able to access Advanced’s health and care systems through “a customer account that did not have multi-factor authentication,” according to the ICO’s investigation into the incident.

Advanced did not say whether it made an extortion payment to the attackers, but said it found no evidence that data was published on the dark web. The company will have an opportunity to contest the ICO’s findings before the penalty is ultimately issued.

‘Serious failings’

The ransomware attack on the company caused enormous disruption across the United Kingdom, including taking down the NHS 111 critical service used to triage non-emergency but urgent medical calls.

Doctors, nurses and other staff were forced to resort to pen and paper to complete their jobs due to the impact on IT systems — provoking a crisis management COBR meeting in the British government as officials feared the impact the attack could have on patient care.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” said John Edwards, the UK’s Information Commissioner.

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

Edwards said his office had chosen to publicize the provisional decision to “urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

The announcement follows two more recent attacks affecting the NHS. Halfway through June, every single household in the Scottish region of Dumfries and Galloway received a letter warning residents that their data was likely to have been accessed by cybercriminals and published online following a ransomware attack.

Another ransomware incident earlier that month, this time affecting a pathology company, led to a critical incident being declared across several hospitals in London. The disruption has to-date caused the postponement of more than 5,000 acute outpatient appointments, including hundreds of operations for cancer treatments.