The UK’s Information Commissioner’s Office (ICO) has announced a provisional decision to impose a fine of £6.09M ($7.74 million) on Advanced Computer Software Group Ltd (Advanced) for its failure to protect the personal information of tens of thousands when it was hit by ransomware in 2022.
Advanced, an IT service and hosting provider contracted by the United Kingdom’s National Health Service (NHS), was compromised by threat actors on August 4, 2022.
The incident impacted hundreds of public and private entities, including NHS 111, and various healthcare products such as Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan, and eFinancials.
As a result of the breach, the personal information of nearly 83,000 people was exposed, including instructions on how to access homes for 890 people receiving care at home.
Although all impacted people were informed and warned to take action to mitigate the risk, and no data from the attack was published on the dark web to this day, the potential impact of the sensitive data exposure is significant.
“This incident shows just how important it is to prioritize information security,” stated UK Information Commissioner John Edwards.
“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations.”
“For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” added Edwards regarding Advanced security stance.
ICO notes that implementing fundamental measures, such as applying security updates, enabling multi-factor authentication, and checking systems for known vulnerabilities, are vital in protecting sensitive data, and all organizations are expected to follow at least these minimal steps.
The publication of the provisional decision aims to remind all organizations of their security obligations and a monition of the potential repercussions in cases of failure.
With all that said, the fine of $7.7 has not been imposed yet, and the ICO says it awaits hearing from Advanced before making a final decision, so the amount is subject to change.
If Advanced fails to produce convincing arguments and the fine stays at $7.74 million, the penalty will correspond to $93.3 per exposed person, which is very high considering compared to past actions.