NHS IT firm faces £6m fine over medical records hack

A software provider is facing a potential £6 million fine following a 2022 ransomware attack that disrupted NHS and social care services across England.

The Information Commissioner’s Office (ICO) has provisionally concluded that Advanced Computer Software Group did not implement adequate measures to safeguard the personal data of 82,946 people affected by the breach, which included sensitive information.

Advanced provides IT and software services to various organisations, including the NHS and other health providers, functioning as a data processor. In August 2022, hackers gained access to the firm’s health and care systems through a customer account lacking multifactor authentication.

The cyberattack caused significant disruptions to critical services such as NHS 111, with data stolen including phone numbers, medical records, and details on how to access the homes of nearly 900 individuals receiving home care.

A leaked internal NHS England memo revealed that the attack had affected multiple NHS services, including urgent treatment centres and mental health providers, by taking essential software offline, posing a substantial challenge to these services.

Information Commissioner John Edwards emphasised the importance of prioritising information security: “Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations. Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care.”

Edwards expressed hope that the fine would prompt companies to urgently improve their data protection measures. He added, “For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multifactor authentication, and keeping systems up to date with the latest security patches.”

The ICO’s findings are provisional, and the regulator will consider any representations from Advanced before reaching a final decision.