The UK’s data protection watchdog said it has provisionally decided to fine a software provider just over £6 million over a 2022 ransomware attack that disrupted NHS and social care services. The Information Commissioner’s Office (ICO) said it had provisionally found that Advanced Computer Software Group had failed to implement measures to protect the personal information of 82,946 people who were affected by the attack, which included some sensitive information. The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information as part of its role as a data processor.
In August 2022, hackers accessed a number of the firm’s health and care systems via a customer account which did not have multi-factor authentication. The attack led to disruption to critical services including NHS 111, and data taken included phone numbers and medical records, as well as details on how to gain entry to the homes of nearly 900 people receiving care at home. “This incident shows just how important it is to prioritise information security,” Information Commissioner John Edwards said.
“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations. “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their abili.