NHS IT supplier hit with major fine following ransomware attack

3 weeks ago 51

Advanced software firm has been fined by the ICO for a data breach
This is the first penalty for a data processor
The information of over 79,000 people was put at risk

The UK Information Commissioner’s Office (ICO) has issued a fine of £3.07 million to software firm Advanced Computer Group Ltd following a 2022 ransomware attack in which NHS data was stolen and systems were encrypted, putting the personal information of 79,404 people at risk.

This is the first fine from the ICO given to a data processor, and serves as a “stark reminder that organisations risk becoming the next target without robust security measures in place,” the Commissioner says.

The attack caused disruptions to critical services at the time, including NHS 111, and meant some healthcare staff were unable to access patient records. The stolen information included patient phone numbers, medical records, and most concerning, access details for the homes of 890 people receiving care at home.

Insufficient protections

An Advanced spokesperson told TechRadar Pro the incident was "wholly regrettable", and that the firm is pleased to see the matter concluded,

"With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack."

The ICO’s investigation found that Advanced Computer Group Ltd didn’t deploy sufficient technical and organisational measures to keep health and car systems fully secure prior to the incident, and pointed to gaps in Multi Factor Authentication Deployment, inadequate patch management, and ‘a lack of comprehensive vulnerability scanning’.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” confirms John Edwards, Information Commissioner.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

The firm was hit by a provisional fine of £6m in August 2024, but this was reduced after considerations were submitted to the ICO, including Advanced’s “proactive engagement with the NCSC, the NCA, and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted.”