The UK's Information Commissioner's Office (ICO) has issued a provisional decision to levy a fine of £6.09 million on Advanced Computer Software Group Ltd (Advanced). The penalty stems from the company's failure to protect personal information during a ransomware attack in 2022, which impacted tens of thousands of individuals.
Advanced, a prominent IT service and hosting provider for the National Health Service (NHS), experienced a security breach on August 4, 2022. This cyber-attack had widespread repercussions, impacting hundreds of public and private entities, including NHS 111, and disrupting various healthcare products such as Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan, and eFinancials.
The breach exposed the personal information of nearly 83,000 individuals. Notably, it revealed instructions on accessing the homes of 890 people receiving in-home care. Despite promptly notifying those affected and advising them on mitigation steps, the breach's potential consequences remain substantial, although no data has surfaced on the dark web to date.
UK Information Commissioner John Edwards emphasised the importance of robust information security practices in light of this incident. "Losing control of sensitive personal information is distressing for those who have entrusted their data to health and care organisations," Edwards remarked. He criticised Advanced's security measures before the attack, highlighting serious deficiencies given the sensitive data they handled.
The ICO underscored the importance of basic security protocols such as applying security updates, enabling multi-factor authentication, and regularly checking systems for known vulnerabilities. These fundamental measures are essential for protecting sensitive data, and all organisations are expected to adhere to these minimum standards.
The ICO's provisional decision serves as a stern reminder to all organisations about their security responsibilities and the severe consequences of failing to meet them. The proposed fine, however, is not final. The ICO is awaiting a response from Advanced before making a definitive ruling. If the fine remains at £6.09 million, it will equate to approximately £73.40 per exposed individual, a notably high penalty compared to past incidents.
To Sum Up
This case underscores the necessity for organisations, particularly those handling sensitive information, to prioritise and continuously enhance their cyber security measures to prevent breaches and protect the privacy of individuals.
