The Information Commissioner’s Office (ICO) has provisionally imposed a £6m fine on an NHS software provider over a data breach that affected more than 80,000 people. The breach, which took place in 2022, included sensitive personal information such as medical records and even details on how to gain entry to the homes of 890 individuals.
The ICO emphasized that this was a provisional fine and that they would wait to hear from Advanced Computer Software Group before making a final decision. Their initial findings revealed that personal information belonging to 82,946 people had been stolen by hackers.
John Edwards, the Information Commissioner, expressed concern over the incident, stating, “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.”
The ICO confirmed that individuals affected by the hack had been notified, and Advanced had not found any evidence of the leaked information on the dark web. The criminal hackers had taken offline seven of Advanced’s health systems, impacting services such as patient check-ins, medical notes, and the NHS 111 service.
Doctors interviewed by the BBC mentioned that it could take months to process the mounting piles of medical paperwork caused by the cyber-attack, with some GP services resorting to pen and paper notes instead of electronic systems.
The hackers were able to access the information by using a customer’s account that lacked sufficient protection. The ICO believed that Advanced should have implemented measures to protect against this vulnerability.
Mr. Edwards urged all organizations, especially those handling sensitive health data, to secure external connections with multi-factor authentication to prevent similar incidents in the future.
