Fine of £6 million could be imposed following ransomware attack
Danger sign on computer screen.

The Information Commissioner’s Office (ICO) could impose a £6 million fine following a ransomware attack that disrupted NHS and social care services in August 2022.

ICO said the provider, Advanced Computer Software Group Ltd, failed to implement the necessary measures to protect the personal information of over 82,900 people.

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor.

The provisional decision to issue a fine relates to a ransomware incident in August 2022, where the ICO has provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. 

The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. People impacted have been notified, and Advanced found no evidence that any data was published on the dark web.

The UK's information commissioner John Edwards said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations."

He added: “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident. 

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”