NHS software services provider Advanced Computer Software Group has been fined £3.07 million by the Information Commissioner’s Office over security lapses that led to a ransomware attack on the NHS and placed the personal data of 79,404 people at risk.

The company provides software services to the NHS and other healthcare providers and processes personal data on behalf of its customers.

The fine relates to an August 2022 ransomware attack in which hackers gained access to Advanced’s health and care subsidiary.

Data access

The hackers were able to penetrate the company’s defences via a customer account that did not have multi-factor authentication, the ICO said.

At the time critical services were disrupted, including NHS 111, and other healthcare staff were left unable to access patient records.

The breach gave hackers access to patients’ phone numbers and medical records and details of how to gain entry to the homes of 890 people who were receiving care at home.

The ICO’s investigation concluded Advanced did not have sufficient security measures in place.

It criticised the “lack of complete coverage” of multi-factor authentication.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said information commissioner John Edwards at the time.

Security failures

“There is no excuse for leaving any part of your system vulnerable,” he added.

The ICO initially announced a provisional £6.09m fine, but halved it because of Advanced’s strong engagement with police, cybersecurity services and the NHS following the attack.