An NHS software provider could be fined £6m by the ICO for failing to protect against a data hack which severely impacted GPs in 2022.
As revealed by sister title Pulse, parts of the NHS 111 service suffered a ‘total system outage’ during the 2022 attack, and GPs working in urgent care had to share patient records on Word documents.
The Information Commissioner’s Office (ICO) has provisionally decided to fine Advanced – now known as OneAdvanced – £6.09m, after finding out that the provider ‘failed to implement measures to protect the personal information’ relating to 82,946 data subjects, during a ransomware attack.
The ICO found that hackers initially exfiltrated a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.
The stolen data included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
People impacted have been notified, and Advanced ‘found no evidence that any data was published on the dark web’, the ICO said.
But it found that the provider breached data protection law in ‘failing to implement appropriate security measures’ prior to the attack to protect the personal information it was processing.
UK Information Commissioner John Edwards said that the provisional finding is that Advanced ‘failed to keep its healthcare systems secure’ despite already installing measures on its corporate systems.
He said: ‘This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
‘Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
‘For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.’
The ICO also said that these findings ‘are provisional’ and that ‘no conclusion should be drawn at this stage’ that there has been ‘any breach of data protection law’ or that a financial penalty will ultimately be imposed.
It will consider any representations Advanced make before making a final decision, with the fine amount also subject to change.
Mr Edwards added: ‘I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.
‘I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.’
The 111 outage meant GPs in London were warned they could see an influx of patients signposted from the service.
An Advanced spokesperson said: ‘Upon detecting suspicious cyber activity in August 2022, we promptly isolated certain systems leading to a temporary loss of service for some customers. Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time. These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total.
‘We supported customers throughout the incident and can confirm that no data was ever made available publicly. Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse. There was no impact to any of Advanced’s other customer-serving systems.
‘We apologise to our customers. It is wholly regrettable that threat actors disrupted our services in this incident. We value our customers in the healthcare sector and take our responsibility to them and their patients and communities very seriously. Cybersecurity continues to be a primary investment throughout our business, we continue to adapt and evolve our response to the ever-changing cybersecurity threats and challenges.
‘We have cooperated fully with the ICO investigation over the past two years and will respond to their provisional findings, detailing a comprehensive response ahead of a final decision being made. Since the incident in August 2022, we have continued to transform our business and are a more secure and resilient company than we were two years ago.’
A version of this story was first published on our sister title Pulse.