Ransomware Attack Leads to £3 Million Fine for NHS Software Supplier Over Data Breach

The UK’s Information Commissioner’s Office (ICO) has provisionally fined Advanced Computer Software Group £6.09 million after a 2022 ransomware attack compromised the personal data of nearly 83,000 individuals. The breach disrupted critical NHS services, including NHS 111, and exposed sensitive information such as medical records and personal contact details. 

In August 2022, hackers exploited a customer account lacking multi-factor authentication to access Advanced’s health and care systems. The stolen data affected 82,946 individuals and included phone numbers, medical records, and access details for the homes of 890 patients receiving at-home care. While Advanced notified affected individuals, there is no evidence that the data was published on the dark web. 

Information Commissioner John Edwards emphasized the importance of robust information security measures, stating that the incident not only compromised personal data but also disrupted healthcare services, further straining an already pressured sector. He urged organizations, especially those handling sensitive health data, to implement multi-factor authentication and regularly update security systems to prevent similar breaches. 

Advanced Computer Software Group, based in Birmingham, provides IT and software services to various organizations, including the NHS. The ICO’s findings are provisional, and Advanced has the opportunity to make representations before a final decision is reached. This case serves as a stark reminder to businesses, particularly data processors, of their responsibility to uphold stringent data protection standards to safeguard personal information and maintain trust.