UK ICO Fines NHS Supplier For Medical Records Breach

A NHS software supplier targeted by ransomware in 2022 that resulted in a data breach, has been fined millions of pounds by the UK data protection watchdog.

The Information Commissioner’s Office (ICO) announced that it has provisionally decided to fine “Advanced Computer Software Group Ltd £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.”

The NHS has suffered multiple data breaches over the years. Last month for example the Russian criminals behind the disruptive ransomware attack in June that impacted a number of London hospitals, published the patient data they stole.

111 Cyberattack

But this particular fine concerns a data breach that emerged in August 2022.

Birmingham-based Advanced, which supplies software used by the NHS’ 111 service and other operations, had identified a cyberattack on 4 August 2022, and shortly after confirmed that it had been hit by ransomware.

The Advanced systems helps 111 call handlers dispatch ambulances and helps doctors access a patient’s GP records; Carenotes, used by mental health trusts for patienet records; Crosscare, which helps run hospices; and Staffplan, used by care organisations.

But the ICO found that the ransomware incident in August 2022 resulted in the hackers initially accessing a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.

“We have provisionally found that personal information belonging to 82,946 people was exfiltrated following the attack,” said the data protection watchdog. “The cyber attack was widely reported at the time of the incident, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.”

The stolen data included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.

People impacted have been notified, and Advanced found no evidence that any data was published on the dark web.

Patient care

“This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” said John Edwards, UK Information Commissioner.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care,” said Edwards. “A sector already under pressure was put under further strain due to this incident.”

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” said Edwards. “Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.”

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future,” said Edwards. “I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

The Commissioner’s findings are provisional, and it said it would carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.

Wake up call

Trevor Dearing, director of critical infrastructure at Illumio, labelled the ICO fine as a wake up call for third-party suppliers.

“The ICO’s decision to provisionally fine Advanced should serve as a wakeup call to all suppliers on the need to strengthen cyber resilience,” said Dearing. “Third-party providers form the lifeblood of critical national infrastructure organisations like the NHS, and cybercriminals will always target these providers because they know they can cause mass disruption.

“It’s also another reminder why all organisations must adopt a resilience-based mindset and ensure that all third-party providers do the same,” said Dearing. “You cannot take shortcuts when it comes to cybersecurity and the ICO recommendations make it clear that all organisations have an obligation to implement basic security controls to secure access, data and assets. Basic controls like multi-factor authentication, network segmentation, and patch management are non-negotiable.”

Huge fine

Meanwhile Brian Boyd, head of technical delivery at i-confidential, noted the huge fine and said it highlights the importance the ICO is placing on organisations adopting good cyber hygiene.

“According to reports, Advanced Computer Software had no MFA enabled on some of the accounts that access their systems, which allowed criminals to easily break in using a stolen password,” said Boyd. “This is a major red flag. There are many places, critical accounts, critical applications, remote access, etc. where MFA is a must. Passwords are lost or stolen every day, so enabling MFA is one of the only ways to prevent criminals gaining access to networks through these credentials.”

“The incident was also another reminder of the dangers that can occur when the security of suppliers is weak,” said Boyd. “In this case, the attack impacted the NHS, which caused worrying disruptions to health care for UK citizens.”

“This is a situation that must be avoided,” said Boyd. “However, the recently announced Cyber Security and Resilience Bill has been designed to enhance supply chain security across critical industries, so it is clear the government is already actively working to combat these threats.”