A fine of over £6 million has been imposed on Advanced Computer Software Group after it failed to protect the personal information of over 82,000 people.

According to a notification by the Information Commissioner’s Office (ICO), the company suffered a ransomware incident in August 2022 where attackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.

Exfiltrated Data

A provider of IT and software services to organisations on a national scale, including the NHS and other healthcare providers, Advanced Computer Software Group also handles personal information on behalf of these organisations as their data processor.

The personal information of 82,946 people were impacted by the incident, which included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.

Healthcare System Security Failings

John Edwards, UK Information Commissioner, said that losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care,” he said. “A sector already under pressure was put under further strain due to this incident.”

He said there were “serious failings” found in Advanced’s approach to information security prior to this incident, including failing “to keep its healthcare systems secure.”

Importance of Healthcare Security

Spokespeople said this highlights the importance the ICO is placing on organisations adopting good cyber hygiene. Brian Boyd, head of technical delivery at i-confidential, said: “The incident was another reminder of the dangers that can occur when the security of suppliers is weak. In this case, the attack impacted the NHS, which caused worrying disruptions to healthcare for UK citizens.”

Kevin Robertson, COO at Acumen Cyber, said: “The fine casts a spotlight on the vulnerability of the NHS, and how its operations can be impacted by cyber-attacks on partners and suppliers.

“In the last few months, thousands of citizens across the UK have had medical procedures cancelled following the attack on Synnovis. With criminals seeing so much success from these assaults, they are set to continue, so any organisation that works with the NHS, or holds personal data, has a duty to keep it secure.”

Trevor Dearing, director of critical infrastructure at Illumio, said the fine should serve as a wakeup call to all suppliers on the need to strengthen cyber resilience. “Third-party providers form the lifeblood of critical national infrastructure organisations like the NHS, and cybercriminals will always target these providers because they know they can cause mass disruption,” he said.

“It’s also another reminder why all organisations must adopt a resilience-based mindset and ensure that all third-party providers do the same. You cannot take shortcuts when it comes to cybersecurity and the ICO recommendations make it clear that all organisations have an obligation to implement basic security controls to secure access, data and assets. Basic controls like multi-factor authentication, network segmentation, and patch management are non-negotiable.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.