The UK's data protection authority has imposed an injunction fine of more than £6 million on NHS provider Advanced for failing to properly protect the information of thousands of people stolen in a ransomware attack.
The UK Information Commissioner’s Office said in a statement that the fine was imposed after it discovered that the cybercriminals behind the ransomware attack in August 2022 had “initially accessed a number of Advanced’s health and care systems through customer accounts that did not have multi-factor authentication”.
The cyberattack on Advanced caused widespread disruption to NHS services across England at the time, with the NHS non-emergency 111 phone line down and hospitals and clinics forced to rely on pen and paper for weeks. Doctors at affected NHS trusts reported losing access to patient records.
Mandiant, an incident response firm that helped investigate the hack, said malware from the LockBit ransomware gang was used in the attack, but LockBit has never publicly claimed responsibility for the cyberattack on a dark web leak site. This could be a sign that the company that was hacked may have paid the ransom. Advanced has previously declined to say whether it paid the ransom.
In its October 2022 after-action report, Advanced said cybercriminals had breached Advanced’s network “using legitimate third-party credentials,” meaning the accounts did not have multi-factor authentication.
Now ICOs seem to confirm that.
The ICO said it was imposing an interim fine of £6.09 million ($7.75 million) after the regulator found Advanced had “breached data protection law by failing to implement adequate security measures to protect personal data it was processing prior to the attack”.
The ICO also said the watchdog had confirmed the cyberattack resulted in the theft of information including phone numbers and medical records of around 83,000 people in the UK, as well as details of “how to enter the homes of 890 people who were receiving home care”.
The fine is temporary, the watchdog said, meaning the penalties could change. ICO commissioner John Edwards said the watchdog decided to go public about the incident in part to “prevent similar incidents from occurring in the future”.
“I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” Edwards said.
A spokesperson for Advanced did not respond to a request for comment before publication.
