The UK Information Commissioner’s office (ICO) has fined NHS vendor Advanced more than £6 million for failing to secure the information of thousands of people who were later affected by a ransomware attack. The cybercriminals behind the attack gained access to Advanced’s health and care systems through a customer account that did not have multi-factor authentication, leading to significant disruptions in NHS services across the UK.
The attack, which occurred in August 2022, caused outages at the NHS non-emergency 111 line and forced hospitals and medical practices to resort to pen and paper for several weeks. Patients’ records were inaccessible to physicians at affected NHS trusts, highlighting the serious consequences of cybersecurity failures in the healthcare sector.
Mandiant, the incident response firm that investigated the hack, identified the use of malware associated with the LockBit ransomware gang. While LockBit did not publicly claim responsibility for the attack on its dark web leak site, the lack of confirmation raises suspicions that a ransom may have been paid. Advanced has not disclosed whether a ransom was indeed paid, raising further questions about the company’s response to the breach.
In its post-incident report released in October 2022, Advanced acknowledged that the cybercriminals exploited legitimate third-party credentials to gain unauthorized access to its network, emphasizing the absence of multi-factor authentication on the compromised account. The ICO’s provisional fine of £6.09 million reflects the watchdog’s determination that Advanced violated data protection laws by failing to implement adequate security measures before the attack.
The ICO confirmed that the cyberattack resulted in the theft of data belonging to nearly 83,000 individuals in the UK, including sensitive information such as phone numbers, medical records, and details on how to access the homes of 890 individuals receiving home care services. The provisional nature of the fine indicates that the penalty amount could be subject to change based on further developments in the case.
ICO Commissioner John Edwards emphasized the importance of securing external connections with multi-factor authentication, particularly for organizations handling sensitive health data. By going public with this case, the watchdog aims to raise awareness about the need for robust cybersecurity measures to prevent similar incidents from occurring in the future.
Despite the severity of the situation, representatives from Advanced have not provided a comment on the issue, highlighting the challenges of addressing cybersecurity incidents in a transparent and accountable manner. The case serves as a stark reminder of the critical role that data protection plays in safeguarding individuals’ privacy and security, especially in the healthcare industry where sensitive information is routinely handled.