The Information Commissioners Office (ICO) is considering imposing a £6m fine on Advanced Computer Software Group (Advanced). The fine follows a data breach that affected 82,946 people and impacted NHS and social care services.

After an investigation, the ICO has decided that Advanced “failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.”  

John Edwards, UK Information Commissioner (Image Credit: LinkedIn)
John Edwards, UK Information Commissioner

John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations. 

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.”  

What happened in 2022?

In August 2022, Advanced suddenly shut down some of its infrastructure services used by healthcare providers. This affected the NHS 111 service, which heavily relies on Advanced, forcing operators to use paper-based systems. It also impacted GP services, as patients were unable to get through to NHS 111.

In a statement at the time, Advanced said it had “identified an issue on infrastructure hosting products used by our Health & Care customers. Those products identified as being affected are Adastra, Carey’s, Carenotes, Crosscare, Odyssey and Staffplan.”

The attackers used stolen credentials to create a Remote Desktop session to a Staffplan Citrix server. That account had no multifactor authentication, making it easy for the attackers to gain access. Once in. they were able to escalate privileges and move laterally through the system. They then exfiltrated data and then deployed encryption to lock the systems.

After an investigation, the company admitted that it had been affected by the Lockbit 3 ransomware. It disclosed that data was taken from its systems but that it had recovered all the data. That data contained personal information on 82.496 people, including medical data. It also contained access codes for 890 people who were receiving care at home.

What has the ICO ruled?

The ICO says that its findings are provisional and that no conclusion should be drawn that there was a data breach or that a fine will be imposed. The Commissioner is awaiting a response from Advanced before issuing a final judgement. It also says that the figure of £6 million may also change.

Enterprise Times: What does this mean?

This is not the first time Advanced has suffered a data breach. Back in 2020, it exposed data belonging to 190 law firms through its Laserform Hub subsidiary. In that case, the company claimed the data lost was already in the public domain and did not report it to the ICO.

This time, it is different. The impact was much more widespread and affected critical services. The data lost contained the personal information of those affected. One of the systems, Carenotes, is a mental health records system. Another contains details of homecare including codes to access premises.

Advanced has maintained that the data never made it to the dark web and was not sold or misused. That may help its case here in terms of mitigating any action from the ICO. However, the ICO has called out the lack of multifactor authentication to protect accounts. It will want to see what measures the company has since taken to fix that.

When the company rebuilt its systems after the attack, it said it took advice from the NCSC, NHS and NHS Digital. The ICO will take that into account but will still want to see what other processes have been put in place to prevent a repeat.

We now await the final decision of the ICO.

LEAVE A REPLY

Please enter your comment!
Please enter your name here