The Information Commissioner’s Office (ICO) has provisionally imposed a £6m fine on an NHS software provider over a data breach that affected more than 80,000 people, including sensitive personal information such as medical records and details on how to gain entry to the homes of 890 individuals.
The breach, which occurred in 2022, saw hackers exfiltrate personal information belonging to 82,946 people, causing disruption to health services and hindering their ability to deliver patient care. The ICO emphasized that the fine was provisional, pending a response from Advanced Computer Software Group before a final decision is made.
John Edwards, the Information Commissioner, expressed concern over the incident’s impact on an already strained healthcare sector, stating, “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care.”
Despite notifying affected individuals and finding no evidence of leaked information on the dark web, Advanced’s health systems were taken offline by criminal hackers, affecting crucial services like patient check-ins, medical notes, and the NHS 111 service. The cyber-attack left doctors struggling to process a backlog of medical paperwork, with some GP services resorting to pen and paper notes due to the disruption.
The hackers exploited a customer account with inadequate protection to access the information, prompting the ICO to criticize Advanced for failing to implement sufficient security measures. Mr. Edwards urged all organizations, particularly those handling sensitive health data, to secure external connections with multi-factor authentication to prevent similar incidents in the future.
The provisional fine serves as a warning to organizations to prioritize data security and take proactive measures to safeguard sensitive information from cyber threats.