Particle.news

Download on the App Store

UK Fines Software Firm £3.07 Million Over 2022 NHS Ransomware Attack

The ICO's investigation revealed critical security failings at Advanced, marking the first fine in the UK against a data processor for a breach.

An ambulance sits outside the emergency department of the Royal London Hospital in London, England, on January 26, 2021. Data from the UK's official statistics bodies revealed today that, based on death certificates, up to January 15 this year nearly 104,000 people have died with coronavirus since the pandemic began. Government figures, which are based on deaths within 28 days of a positive covid-19 test, remain slightly lower, yesterday standing at 98,531. (Photo by David Cliff/NurPhoto via Getty Images)
Image

Overview

  • The Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for a 2022 ransomware attack that exposed sensitive data of 79,404 individuals.
  • The attack, attributed to the LockBit ransomware group, disrupted NHS services, including NHS 111, and left staff unable to access patient records.
  • The ICO found that Advanced failed to implement adequate security measures, including incomplete multi-factor authentication (MFA) and poor vulnerability management.
  • Sensitive information exposed in the breach included medical records and access details for 890 individuals receiving home care.
  • The fine, initially proposed at £6.09 million, was reduced due to Advanced's proactive cooperation with the NCSC, NCA, and NHS to address the fallout and improve cybersecurity.