NHS IT firm faces huge fine after medical records hack
An NHS software supplier has been hit by a provisional fine of £6 million by the Information Commissioner’s Office (ICO) following a serious data breach.
Advanced Computer Software Group was hit by a cyberattack in October 2022, taking down NHS patient check-in systems, medical records and the NHS 111 non-emergency service.
In total, the personal data of 82,946 people was stolen by the attackers.
Provisional fine
John Edwards, the Information Commissioner, said: “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector that was already under pressure has been put under even further pressure by this incident.”
The attackers gained access to sensitive information by exploiting a poorly secured customer account. Medical records of patients were among the stolen data, including information on “how to access the homes of 890 people.” Those affected were notified after the breach, but Advanced Computer Software Group has so far found no evidence that the stolen information has appeared on the dark web.
Because the systems were taken offline by the attack, some GP services had to resort to paper notes, with some doctors having to BBC and then indicated that it would take months to process the backlog of paperwork.
The ICO said the fine was provisional and that a final decision would be awaited as there was no response from Advanced Computer Software Group.
“I am choosing to announce this interim decision today because I have a duty to ensure that other organizations have information that can help them secure their systems and prevent similar incidents in the future,” Edwards added. “I urge all organizations, particularly those that handle sensitive health data, to secure remote connections with multi-factor authentication.”