A data processing software provider to the UK National Health Service (NHS) has agreed to pay a £3.07m ($3.96m) fine imposed by the UK Information Commissioner’s Office (ICO) over a 2022 cyber breach.
The cyberattack on Advanced Computer Software’s healthcare subsidiary caused disruption to critical NHS services, including its 111-advice hotline and left healthcare staff unable to access patient records. The cyberattack put the personal data of around 80,000 individuals at risk.
Go deeper with GlobalData
An investigation by the ICO found that Advanced lacked the ‘appropriate’ technical and organisational measures to keep its systems fully secure. Namely, a lack of multi-factor authentication (MFA) – a security method that requires users to provide at least two pieces of evidence to prove their identity – across the data processor’s system architecture enabled the cyberattack to take place.
The ICO imposed a provisional £6.07m fine on Advanced last year. However, due to Advanced’s submission of representations on the decision, evidencing that it proactively engaged with the UK National Cybersecurity Centre (NCSC), the UK National Crime Agency (NCA), and the NHS following the attack and took other steps to mitigate the risk to those impacted, the ICO agreed to reduce the fine.
Information commissioner John Edwards said the security measures of Advanced’s subsidiary fell “seriously short” of what it would expect from an organisation processing such a large volume of sensitive information.
Edwards stated: “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place.”
A lack of MFA across all systems in an organisation or providers’ architecture, which can enable bad actors to gain access to broader systems architecture that may otherwise be secure, has blighted the healthcare sector in recent years.
A cyberattack last year on UnitedHealth Group subsidiary Change Healthcare, which exposed the personal data of 190 million Americans, also came down to a lack of MFA on one of the company’s portals. It remains disquietingly clear that organisations and the providers they enlist are still getting tripped up over these basic first-line-of-defence security protocols.
Edwards concluded: “I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable.”
