IT firm faces £6m fine over NHS hack

The Information Commissioner's Office (ICO) has imposed a provisional fine of more than £6m on an NHS software provider for security failures that led to a major breach of patient data.

The incident occurred in 2022 and led to hackers accessing medical records of almost 83,000 people, which included sensitive information.

Advanced Computer Software Group Ltd (ACSG) is facing the multimillion fine after the watchdog found it had failed to implement appropiate data protection measures at the time of the attack.

The ICO found the cybercriminals were able to access the company's systems via a customer account that did not have a multi-factor authentication.

Hacked data included phone numbers and medical records as well as details on how to get into the homes of almost 900 people who received home-based care at the time.

The ransomware attack also took critical software offline disrupting multiple health service including NHS11, patient check-in, urgent treatment centres and mental health providers.

However, ACSG found no evidence that any data had been published on the dark web. 

The ICO said there is still no conclusion on whether there was any breach of data protection law and added it would consider any representations from ACSG before making a final decision on the fine.

John Edwards, UK Information Commissioner, said: "For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.

“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”