The UK’s Information Commissioner’s Office (ICO) has provisionally imposed a £6 million (€7 million) fine on Advanced Computer Software Group, an NHS software provider, following a significant data breach in 2022. This breach affected over 80,000 individuals, exposing sensitive personal information, including medical records and access details for the homes of 890 people.
The ICO revealed that hackers “exfiltrated” personal information of 82,946 people. John Edwards, the Information Commissioner, emphasized the severity of the breach, noting the disruption caused to health services. “A sector already under pressure was put under further strain due to this incident,” Edwards stated.
The breach had extensive repercussions, impacting several health systems managed by Advanced, including patient check-ins, medical notes, and the NHS 111 service. This forced some GP services to revert to pen and paper for note-taking, significantly slowing down operations. Doctors reported that it might take months to process the backlog of medical paperwork caused by the cyber-attack.
Despite notifying affected individuals, Advanced could not find evidence that the stolen information had been leaked on the dark web. The hackers accessed the data using a customer account with insufficient protection. The ICO believes Advanced should have implemented stronger security measures to prevent such vulnerabilities.
Edwards stressed the importance of publicizing this provisional decision to alert other organizations. “I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” he said.
The ICO will wait to hear from Advanced before making a final decision on the fine. This incident serves as a stark reminder of the critical need for robust cybersecurity measures in the healthcare sector.