The U.K. Information Commissioner’s Office (ICO) has proposed a fine of over £6 million against NHS vendor Advanced, following findings that the company inadequately protected personal data which was later compromised in a ransomware attack.
The ICO’s investigation revealed that cybercriminals accessed Advanced’s health and care systems in August 2022 through a customer account lacking multi-factor authentication (MFA). This vulnerability facilitated the LockBit ransomware attack, which caused significant disruptions to NHS services across the UK, including outages at the NHS non-emergency 111 line and forcing hospitals and medical practices to revert to manual record-keeping. Medical staff at affected NHS trusts reported being unable to access patient records.
Mandiant, the incident response firm involved, identified the use of LockBit ransomware in the attack. Despite the involvement of LockBit, the group did not claim responsibility on its dark web leak site, which sometimes suggests that the affected organization may have paid a ransom. Advanced has not confirmed whether a ransom was paid.
By October 2022, Advanced acknowledged in its post-incident report that the breach was facilitated by “legitimate third-party credentials,” highlighting the absence of MFA on the compromised account. The ICO’s provisional fine of £6.09 million ($7.75 million) reflects this security lapse, with the regulator finding that Advanced had “breached data protection law by failing to implement appropriate security measures to protect personal data.”
The attack resulted in the theft of data from approximately 83,000 individuals in the UK, including phone numbers, medical records, and details on how to enter the homes of 890 people receiving home care.
The proposed fine is subject to change as the ICO continues its review. ICO Commissioner John Edwards stated that the decision to publicly announce the fine aims to prevent similar incidents in the future. “I urge all organizations, particularly those handling sensitive health data, to urgently secure their external connections with multi-factor authentication,” Edwards said.
Advanced has yet to respond to requests for comment on the matter.