Anika Begay
UK data protection regulators have imposed a provisional fine of more than £6 million on NHS provider Advanced, after finding the company failed to adequately protect thousands of people’s information, which was later stolen in a ransomware attack.
In a statement, the UK Information Commissioner’s Office (ICO) said it issued the fine after establishing that cybercriminals behind the August 2022 ransomware attack “initially gained access to a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.”
The cyberattack on Advanced caused widespread disruption to NHS services across the UK at the time, causing disruption to the NHS non-emergency 111 line and forcing hospitals and GP practices to resort to pen and paper for weeks. Doctors at the affected NHS trusts reported being unable to access patient records.
Mandiant, the incident response firm that helped investigate the hack, said malware used by the LockBit ransomware gang was used in the attack; however, LockBit has never publicly claimed responsibility for the cyberattack on its dark web leaks site. This could indicate that a hacked company may have paid a ransom. Advanced previously declined to say whether it had paid one.
In October 2022, Advanced stated in its post-incident report that cybercriminals had entered Advanced’s network “using legitimate third-party credentials,” implying that there was no multi-factor authentication on the account.
Now it looks like the ICO is confirming this.
The ICO said it was provisionally issuing a £6.09 million ($7.75 million) fine after the watchdog said Advanced had provisionally “breached data protection law by failing to implement appropriate security measures prior to the attack to protect the personal information it was processing”.
The watchdog also confirmed that the cyber attack resulted in the theft of data from around 83,000 people in the UK, including phone numbers and medical records, and details of “how to gain entry into the homes of 890 people receiving home care”, the ICO said.
The fine is provisional, the watchdog said, meaning the penalty could change. ICO commissioner John Edwards said the watchdog had taken the decision to make the case public in part to “avoid similar incidents in the future”.
“I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” Edwards said.
Spokespeople for Advanced did not respond to a request for comment by publication time.
