The UK data protection authority has imposed an interim fine of more than £6 million on NHS vendor Advanced after finding that the company failed to properly protect the personal information of thousands of people that was later stolen in a ransomware attack.
The UK Information Commissioner's Office (ICO) said in a statement that it imposed the fine after determining that the cybercriminals behind the August 2022 ransomware attack “initially accessed some of Advanced's health systems through customer accounts that lacked multi-factor authentication.”
The cyber attack on Advanced caused widespread disruption to NHS services across the UK at the time, taking down the NHS non-emergency 111 line and forcing hospitals and clinics to rely on pen and paper for weeks. Doctors at affected NHS trusts reported being unable to access patient records.
Mandiant, an incident response firm that helped investigate the hack, said the attack involved malware used by the RockBit ransomware group. But RockBit has never publicly admitted responsibility for the cyberattack on its dark web leak site, which could suggest that the hacked companies may have paid the ransom. Advanced has previously declined to comment on whether it has paid the ransom.
By October 2022, Advanced said in a post-incident report that cybercriminals had gained access to Advanced's network “using legitimate third-party credentials,” suggesting the accounts did not have multi-factor authentication.
Now, the ICO appears to be confirming that.
The ICO announced an interim fine of £6.09 million ($7.75 million) after provisionally determining that Advanced “breached data protection law by failing to implement appropriate security measures to protect personal information it was processing prior to the attack.”
The ICO also confirmed that the personal information of around 83,000 people in the UK had been stolen in a cyber attack, including phone numbers and medical records, as well as details of “how to break into the homes of 890 home care recipients”.
The watchdog said the fines were provisional and penalties could be changed. ICO Commissioner John Edwards said the watchdog had also decided to make the case public “to avoid similar incidents in the future.”
“We urge all organisations, particularly those handling sensitive health data, to immediately protect their external connections with multi-factor authentication,” Edwards said.
An Advanced spokesman did not respond to a request for comment before publication.