The Information Commissioner’s Office (ICO) has imposed a £3m fine on an NHS software provider due to security lapses that exposed personal information to a ransomware attack. Advanced Computer Software Group was found responsible for the breach, which jeopardized the data of 79,404 individuals, as disclosed by the UK’s data protection authority. The company, which delivers IT and software solutions to various organisations including the NHS, operates as a data processor handling sensitive information.
In August 2022, hackers infiltrated the system, compromising patients’ contact details, medical records, and even access instructions for 890 home care recipients. The breach was made possible through the exploitation of a customer account lacking adequate multi-factor authentication, according to reports. The ICO’s investigation revealed shortcomings in Advanced’s security protocols prior to the incident, causing disruption to vital services such as NHS 111 and hindering healthcare professionals’ access to patient information.
Despite Advanced’s efforts to implement multi-factor authentication across some systems, the partial coverage was deemed insufficient by Information Commissioner John Edwards. The regulator cited the incident as exacerbating an already strained sector, emphasizing the need for comprehensive security measures for organisations handling sensitive data. The ICO initially proposed a £6m penalty, but it was reduced by half due to Advanced’s proactive collaboration with law enforcement, cybersecurity agencies, and the NHS in response to the cyberattack
Read the full article from The BBC here: Read More
