The British data and privacy watchdog plans to fine Advance Software in millions over the 2022 ransomware incident that crippled healthcare services across the country.
The UK Information Commissioner’s Office (ICO) has proposed a £6.09 million [approximately US$ 7.74 million] fine against Advanced Computer Software Group Ltd. for failing to safeguard the personal data of tens of thousands of individuals, including sensitive medical information.
“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” said John Edwards, UK Information Commissioner. “Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.”
ICO Tells Why Fine to Advanced Software is Justified
Advanced, a leading IT and software services provider serving numerous organizations including the National Health Service (NHS), acted as a data processor handling personal information on behalf of its clients. The proposed fine stems from a LockBit 3.0 ransomware attack in August 2022 that compromised the personal data of 82,946 individuals.
Hackers exploited a customer account lacking multi-factor authentication to infiltrate Advanced’s health and care systems. They gained access by exploiting legitimate third-party credentials to access a remote desktop session on the company’s Staffplan Citrix server, which is used for scheduling caregiver shifts.
The attackers subsequently moved deeper into Advanced’s infrastructure, escalating their privileges. As a result, the personal data of 16 NHS trust clients using the company’s Staffplan and Caresys patient caregiver management solutions was stolen. However, patient data controlled by NHS trusts was not compromised, according to Advanced.
Consequently, sensitive data including phone numbers, medical records, and home addresses of 890 individuals receiving at-home care was also exfiltrated. While no data appeared on the dark web, the incident severely disrupted critical healthcare services like NHS 111 and hindered access to patient records.
The ICO’s decision is provisional, and the final penalty amount may change following consideration of Advanced’s response. No conclusion has been reached regarding a data protection law violation.
Information Commissioner John Edwards emphasized the criticality of information security, stating that the loss of sensitive personal data caused significant distress to individuals who relied on healthcare providers. The cyberattack not only compromised personal information but also exacerbated pressures on an already strained healthcare sector.
Edwards criticized Advanced’s information security practices, noting the company’s failure to adequately protect its healthcare systems despite measures in place for corporate systems. The ICO urged all organizations, particularly those handling sensitive health data, to prioritize security measures such as regular vulnerability assessments, multi-factor authentication, and up-to-date security patches.
Data processors, like Advanced, share responsibility with data controllers for safeguarding personal information. Implementing robust technical and organizational measures to assess and mitigate risks is essential to prevent data breaches.
UK’s NHS ‘Highly Vulnerable’ to Cyberattacks
Professor Ciaran Martin, the first top boss of the UK’s National Cyber Security Centre (NCSC) has already warned that the National Health Service (NHS) remains “highly vulnerable” to cyberattacks unless significant updates are made to its computer systems. This came on the heels of a recent major ransomware attack on a third-party blood testing service provider Synnovis that led to severe disruption in healthcare services across London.