The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07 million for security failings following a 2022 ransomware attack that put the personal information of 79,404 people at risk.  

Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on their behalf.

The August 2022 ransomware attack happened after hackers were able to gain access to certain systems of Advanced’s health and care subsidiary via a customer account which did not have multiple factor authentication (MFA).

The attack resulted in the disruption of a wide range of healthcare services, including the system used for ambulance dispatch, booking out-of-hours appointments, and prescribing emergency drugs.

The stolen data included the sensitive information of approximately 890 patients receiving home care, including phone numbers, medical records, and property access information.

The breach also caused the disruption of critical services such as NHS 111, with staff unable to access patient records.

Other technical and organisational measures that the ICO found missing included a lack of comprehensive vulnerability scanning and inadequate patch management.

On Thursday, the ICO confirmed that Advanced recognised the regulator's decision and will pay the fine without appeal.

“Today’s decision is a stark reminder that organisations risk becoming the next target without robust security measures in place,” said the regulator.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said John Edwards, information commissioner.

He pointed out that although Advanced had installed multi-factor authentication in many of its systems, the lack of full coverage meant hackers could gain access, putting the sensitive personal information of thousands of people at risk. 

While the ICO initially announced its provisional intention to fine the company £6.04 million in August 2024, the fine was later reduced due to Advanced's proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS following the attack, as well as other measures taken to mitigate the risk to those affected.  

Edwards commented on the settlement: “I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”  

Last year, the NHS suffered several other cyber attacks.

In June 2024, residents of the Scottish region of Dumfries and Galloway were impacted by a cyberattack on the NHS which resulted in the publication of sensitive data.

Another ransomware attack on pathology service provider Synnovis heavily disrupted operations across multiple hospitals in London, impacting services such as blood tests and transfusions.

---