Cyber Threat Radar – A leading NHS IT provider is set to incur a fine exceeding £6 million due to shortcomings that resulted in a cyberattack and the compromise of nearly 83,000 medical records.
The Information Commissioner’s Office (ICO) has been conducting an investigation into Advanced, a provider of essential systems for the healthcare sector, following a data breach that occurred on August 4, 2022.
Significant Repercussions For NHS
This cyberattack had significant repercussions, impacting the systems responsible for:
- Scheduling out-of-hours appointments
- Issuing emergency prescriptions
- Dispatching ambulances
In a preliminary decision, the ICO has determined that the software provider violated data protection regulations by not adequately safeguarding personal information of 82,946 individuals. The data was compromised during a ransomware attack, where hackers accessed Advanced’s computer systems through an account that lacked multi-factor authentication (MFA).
NHS Medical Records Exposed
Generally, Multi-Factor Authentication (MFA) serves to thwart cybercriminals from exploiting stolen passwords to gain unauthorized access. The compromised data contained sensitive details, including phone numbers, medical records, and information regarding access to the residences of 890 individuals receiving care at home.
The ICO has tentatively determined to levy a fine of £6.09 million; however, the ultimate decision and any associated penalties will be contingent upon Advanced’s response.
Observations From UK Information Commissioner
John Edwards, UK Information Commissioner, observed:
- This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
- Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
- For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
- I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.
“Data processors operate under the directives of their clients, known as data controllers, who maintain ultimate authority over the usage and purpose of personal information,” said Tim Jenkins, Head of Cyber Defense Research, SentryBay. “However, in this case data processors such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure patient information is kept secure. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
Advanced issued an update in response to the data breach, confirming that patient information was extracted from their systems prior to encryption.
“Another Wake Up Call For The NHS”
“This latest data breach is another wake up call for the NHS,” commented Liam Davenport, Global Cybersecurity Solutions Director, SentryBay. “Remember, the 2018 WannaCry cyberattack had a significant impact on the NHS, resulting in the cancellation of thousands of appointments and incurring costs close to £100 million. Cybercriminals are increasingly using invasive and dangerous malware to steal sensitive healthcare and patient information. SentryBay’s patented Armored Client solution eliminates this threat, protecting sensitive data. This revolutionary product is recognized by Gartner as a leader in the Gartner Hype Cycle for Endpoint Security under the Endpoint Access Isolation category.”