ICO plans £6m fine for NHS software provider Advanced over 2022 cyberattack


The UK’s data protection regulator has announced that its investigation into tech firm ‘provisionally found serious failings in its approach to information security’ before incident that compromised 83,000 people’s data

The Information Commissioner’s Office has made a provisional decision to issue a £6.1m fine to Advanced Computer Software over a 2022 cyberattack that caused months of disruption to NHS bodies.

The ransomware assault affected the Birmingham-headquartered firm’s products including Adastra, a patient-management platform used to support the urgent-care treatment of up to 40 million people, and the Carenotes electronic patient records system used by 40,000 doctors. Advanced’s technology also supports the delivery of the vast majority of enquiries to the NHS 111 service for urgent care issues which, according to the ICO, also faced disruption following the incident.

Six months after the incident, ministers revealed that some NHS organisations had still not reconnected to impacted systems. Now, 18 months on from that, the data-protection watchdog has identified “serious failings” it claims were present in Advanced’s cybersecurity set-up before the attackers struck.

Hackers stole personal data related to 82,946 people, including information such as contact details and medical records and, in the case of 890 people receiving care at home, instructions on gaining entry to their residence.

“People impacted have been notified, and Advanced found no evidence that any data was published on the dark web,” the ICO added.

Nevertheless, the watchdog’s investigation found Advanced “failed to implement measures to protect the personal information” that was compromised during the incident.  Hackers were able to gain access to the software firm’s system using a customer account that was not protected with multi-factor authentication, according to the ICO.

The information commissioner John Edwards said that he had decided to publicly announce the provisional penalty issued to the software provider “as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future”.


Related content


“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure,” he added. “We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

The decision to issue such a hefty penalty is only provisional at this stage, and the ICO said that it may reduce the size of the fine – or eliminate it entirely, if it later finds that there has not been any breach of data-protection law. In the coming days, Edwards “will carefully consider any representations Advanced makes before making a final decision”.

The commissioner said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations. Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident. For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.”

Advanced response
Responding to the ICO’s provisional decision, a spokesperson for Advanced said that, after detecting the attack in August 2022, the firm “promptly isolated certain systems leading to a temporary loss of service for some customers”.

“Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time,” the spokesperson add. “These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total.”

The software firm said that it has worked to provide support to its customers throughout the incident “and can confirm that no data was ever made available publicly”.

“Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse,” the spokesperson said.

Following the attack, Advanced claims to have taken steps “to transform our business and [we] are a more secure and resilient company than we were two years ago”.

The company said that it has “cooperated fully with the ICO investigation over the past two years and will respond to their provisional findings, detailing a comprehensive response ahead of a final decision being made”.

 The spokesperson added: “We apologise to our customers. It is wholly regrettable that threat actors disrupted our services in this incident. We value our customers in the healthcare sector and take our responsibility to them and their patients and communities very seriously. Cybersecurity continues to be a primary investment throughout our business, we continue to adapt and evolve our response to the ever-changing cybersecurity threats and challenges.”

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *