A major NHS software provider has been fined £3m after a cyber attack exposed the personal data of nearly 80,000 people – including home entry details and medical records for vulnerable patients.
The information comissioner’s office (ICO) ruled that Advanced Computer Software Group had “seriously inadequate” security measures, allowing hackers to infiltrate its systems in August 2023.
The breach disrupted vital NHS 111 services, stripped staff from being able to access patient records, overall adding pressure to an already strained healthcare system.
The ransomware attack was made possible because the software provider failed to implement multi-factor authentication (MFA) across all of its systems, allowing cyber criminals to exploit a customer account with weak security.
The ICO reported that the company’s failures left a critical system that processes highly sensitive data, “dangerously exposed”.
Real-world consequences
The breach compromised patients’ phone numbers, their medical records, and even instructions on how to access the homes of 890 vulnerable individuals receiving care.
The impact rippled through the NHS services, delaying emergency responses and patient treatment.
Last year, the ICO provisionally set the fine to £6m, but proceeded to halve it due to the firm’s cooperation with police, cyber experts and the NHS in the aftermath of the attack.
The penalty should, however, serve as a trenchant reminder to all firms handling highly sensitive data.
“There is no excuse for leaving any part of your system vulnerable”, said information commissioner John Edwards.
The provider’s failure to fully roll out MFA also garnered critique.
Edwards dubbed it an unacceptable security lapse for a firm entrusted with such critical information.
The fine has been revealed amid growing regulatory pressure on companies to prioritise cyber security, especially in sectors handling sensitive data sets.
Meanwhile, a growing pay gap between public and private sector cyber roles has led some firms to warn the UK‘s national security is at risk, because it is harder for government to attract and retain top talent.
“The risks to UK national security from cyber crime are real, and the potential costs and damage to critical national infrastructure are staggering”, said Naoris Protocol chief executive David Carvalho.