NHS software provider fined £3M over ransomware security failings

The UK’s Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group £3 million following a security failure that led to a ransomware attack on the NHS. The breach, which exposed sensitive information of 79,404 people, highlighted major shortcomings in the company’s cyber defenses.

The attack occurred in August 2022, when hackers infiltrated Advanced’s systems through a customer account that lacked multi-factor authentication. This vulnerability allowed the attackers to access personal data, including patients’ phone numbers, medical records, and entry details for 890 individuals receiving care at home.

The cyberattack had widespread consequences, particularly affecting critical NHS services. The NHS 111 helpline experienced significant disruption, while some healthcare staff were unable to access patient records. Additionally, software used for patient check-ins was impacted, further straining an already pressured healthcare sector.

The ICO’s investigation found that Advanced failed to implement adequate security measures before the breach. While the company had deployed multi-factor authentication across many systems, its incomplete coverage left critical areas exposed.

Information Commissioner John Edwards condemned Advanced’s security failings, stating: "The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information."

Edwards emphasized that the £3 million fine serves as a stark warning for companies handling sensitive data."There is no excuse for leaving any part of your system vulnerable," he added.

Originally, the ICO had proposed a £6 million fine, but the penalty was halved due to Advanced’s proactive cooperation with authorities, including law enforcement, cybersecurity agencies, and the NHS in the aftermath of the breach.