Image may be NSFW.
Clik here to view.
The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group (Advanced) £3m following a ransomware attack on the NHS in August 2022.
Notably, the ICO originally considered a provisional fine of £6m but ultimately halved this due to the firm’s proactive engagement with the authorities. This is the first time a data processor has been fined by the ICO, setting a precedent that will no doubt be closely observed by both the legal sector and the cyber community.
The incident, which put the personal information of almost 80,000 people at risk, was reported to the ICO by Advanced at the time of the breach. Hackers were able to access customer accounts where there was insufficient multi-factor authentication (MFA) protection. Although MFA existed across many systems, the coverage was incomplete. The ICO also identified a lack of comprehensive vulnerability scanning and inadequate patch management.
Those services impacted at the time included NHS 111 (which was using Advanced’s Adastra product - now called Clinical Patient Management) and care homes (using products such as Caresys for activities including patient notes and visitor booking).
Advanced is emphasising that in the two and a half years since the incident happened, it has become a very different business taking a much more effective approach to cyber and information security.
A spokesperson for the company said: “What happened over two and a half years ago is wholly regrettable. With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.”
