The UK’s data privacy watchdog, the Information Commissioner’s Office (ICO), has imposed a £3.07 million ($3.95 million) fine on a software provider for the 2022 ransomware attack that disrupted various NHS services.
The attack attributed to the LockBit ransomware group affected Advanced Health and Care Limited, a subsidiary of Advanced Computer Software Group Ltd, and exposed the personal information of 79,404.
Advanced is a managed service provider (MSP) that works with over 22,000 companies worldwide, including non-profits and education and healthcare institutions.
The privacy regulator faulted Advanced’s subsidiary for failing to implement adequate security measures such as multi-factor authentication (MFA), vulnerability scanning, and patch management, leaving patients’ sensitive information at risk of unauthorized access.
Ransomware attack on NHS services results in a £3.07 million fine
The NHS ransomware attack leveraged compromised credentials to enable remote access via remote desktop protocol (RDP) on a Citrix server before traversing laterally across the organization.
The ransomware attack also denied some healthcare professionals access to patient records, impacting patient care. It also affected NHS 111, which directs patients to the right NHS services, prompting the healthcare organization to advise patients to use the online system to avoid delays.
Subsequently, NHS 111 phone operators were forced to use pen and paper, thus increasing response time. For some NHS services, the disruption lasted for months, which is typical for a ransomware attack.
Additionally, the attack also allowed threat actors to access patients’ phone numbers, medical records, and details of how to enter the residences of 890 patients receiving home care, putting the victims at risk of phishing, extortion, and physical harm.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said Commissioner John Edwards. “While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”
The regulator also blamed the NHS services software supplier for putting “further strain” on a “sector already under pressure” by failing to prevent the ransomware attack.
ICO had planned to fine Advanced £6 million ($7.74 million) but reconsidered the penalty after crediting the NHS services software provider for engaging with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS after the ransomware attack. ICO had hinted that the final penalty would depend on how the NHS services software supplier handled the ransomware attack.
For the first time, British regulatory authorities have imposed a fine on a data processor instead of the data controller.
In the past, ICO has fined various data controllers, including British Airways (£20 million), Interserve Group (£4.4 million), and Marriot (£18.4 million) for various data breaches. In April 2023, ICO also fined TikTok £12.7 million for misusing children’s data.
In 2023, ICO’s attempt to impose a £7.5 million ($9.3 million) fine on Clearview hit a snag after a tribunal ruled that the watchdog had no legal authority to penalize the U.S. social media data scraper as it serves foreign law enforcement agencies.
Meanwhile, the ICO commissioner hopes the Advanced Computer Software Group fine would encourage other organizations to have “robust security measures in place,” adding that there was “no excuse for leaving any part of your system vulnerable.”
