The data protection regulator announced that a software provider could be fined over £6m for a 2022 attack on ransomware which disrupted NHS services and social care in England.
The Information Commissioner’s Office said that it had found, provisionally, that Advanced Computer Software Group failed to implement any measures to protect personal information for 82,946 individuals who were affected by this attack. This included sensitive information.
As a data processor, the firm offers IT and software solutions to organizations across the country. This includes the NHS as well as other healthcare providers.
Hackers gained access to the health care system of a firm in August 2022 by using a customer’s account without multifactor authentication.
The attack caused disruptions to vital services, including NHS 111 . Data taken included phone numbers, medical records as well as information on how to enter the homes of almost 900 people who receive care at home.
A leaked internal NHS England document revealed to the Guardian that “a number NHS services, such as NHS 111, certain urgent treatment centers and some mental healthcare providers, use software that has been taken off-line”. The memo continued: “This poses a significant challenge for these services.”
John Edwards, the information commissioner, said that this incident demonstrated how vital it is to prioritize information security.
He said: “Losing the control of sensitive information about individuals will have been distressing to people who were forced to trust health and care organizations.
This incident not only compromised personal information, but also disrupted the ability of some health care services to provide patient care.
This incident has put an already stressed sector under even more strain.
Edwards said that he hoped that the fine would prompt companies to take urgent measures to protect personal data.
He said: “For a company trusted to handle significant volumes of sensitive data and data classified as special categories, we have found that its approach to security was seriously lacking before this incident.”
Our preliminary conclusion is that Advanced Healthcare failed to secure its healthcare system despite installing security measures on its corporate system.
“We expect that all organisations take basic steps to secure their system, including regularly checking for weaknesses, implementing multifactor identification, and keeping up-to-date with the latest security patch.
I am going to make this decision public today because it’s my duty to provide other organisations with information that will help them secure their systems, and prevent similar incidents from happening in the future.
I urge all organisations to secure their external connections urgently with multifactor authentication, particularly those that handle sensitive health data.
The ICO stated that its findings are provisional, and it is too early to draw any conclusions about whether or not there has been a violation of the data protection laws.
The regulator stated that it would take into account any comments from Advanced before deciding on a final solution.
Post Disclaimer
The following content has been published by Stockmark.IT. All information utilised in the creation of this communication has been gathered from publicly available sources that we consider reliable. Nevertheless, we cannot guarantee the accuracy or completeness of this communication.
This communication is intended solely for informational purposes and should not be construed as an offer, recommendation, solicitation, inducement, or invitation by or on behalf of the Company or any affiliates to engage in any investment activities. The opinions and views expressed by the authors are their own and do not necessarily reflect those of the Company, its affiliates, or any other third party.
The services and products mentioned in this communication may not be suitable for all recipients, by continuing to read this website and its content you agree to the terms of this disclaimer.