UK Fines Software Firm £3.07 Million Over 2022 NHS Ransomware Attack
The ICO's investigation revealed critical security failings at Advanced, marking the first fine in the UK against a data processor for a breach.
- The Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for a 2022 ransomware attack that exposed sensitive data of 79,404 individuals.
- The attack, attributed to the LockBit ransomware group, disrupted NHS services, including NHS 111, and left staff unable to access patient records.
- The ICO found that Advanced failed to implement adequate security measures, including incomplete multi-factor authentication (MFA) and poor vulnerability management.
- Sensitive information exposed in the breach included medical records and access details for 890 individuals receiving home care.
- The fine, initially proposed at £6.09 million, was reduced due to Advanced's proactive cooperation with the NCSC, NCA, and NHS to address the fallout and improve cybersecurity.