Having previously indicated its intention to enforce a £6m penalty, the regulator for data protection reaches settlement with tech company following a ransomware attack that caused ‘disruption to critical services’

The Information Commissioner’s Office is to impose a £3.07m fine on NHS software supplier Advanced over a 2022 data breach that exposed instructions for accessing the homes of hundreds of patients receiving care at home.

The data-protection watchdog announced in August that it had reached a provisional decision to hit the tech firm with a £6.09m penalty. Following this initial conclusion, Advanced was given the chance to make “representations” to the ICO, during which it demonstrated “proactive engagement with the NCSC, the NCA, and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.

Following this process, the two parties have agreed a “voluntary settlement” to cut the previously proposed penalty in half.

The fine relates to a ransomware attack perpetrated in 2022 in which hackers accessed “accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication”. Having done so, attackers stole personal data records of 79,804 people. This included “details of how to gain entry into the homes of 890 people who were receiving care at home”.

The attack also disrupted the provision of “critical” public services. This included causing an outage to the NHS 111 phoneline and online tool for urgent-care queries, as well as preventing frontline staff from accessing patient records.

Related content

• Cancelled appointments top 6,000 but NHS claims most services now ‘near normal’ after cyberattack
• ‘Boots on the ground’ – NHS signs £3m in deals for cyber incident support
• All 150,000 residents of Dumfries and Galloway warned to assume data loss in NHS cyberattack

The ICO indicated that the £3m punishment is the first time it has fined a data processor – referring to an organisation that handles information on behalf of a client – rather than a data controller, which owns the data in question.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said commissioner John Edwards. “While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.  People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.”

Edwards added that he hoped the incident serve as “a stark reminder that organisations risk becoming the next target without robust security measures in place” – including MFA to protect all external connections to corporate networks.

A spokesperson for Advanced said: “What happened over two and a half years ago is wholly regrettable. With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cybersecurity remains a primary investment across our business, and we have learned a great deal as an organisation since this attack. We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals.”