NHS IT firm set for major fine following medical records hack

News
By published

Sensitive patient data was stolen in the attack

NHS
Image credit: Shutterstock (Image credit: Shutterstock)

An NHS software provider has been hit by a provisional fine of £6m by the Information Commissioner's Office (ICO) following a serious data breach.

Advanced Computer Software Group was hit by a cyberattack in October 2022 which took down NHS systems for patient check-ins, medical notes and the NHS 111 non-emergency service.

Article continues below

Provisional fine

John Edwards, the Information Commissioner, said, "Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident."

The attackers gained access to sensitive information by using a poorly protected customer account. Patient medical records were among the stolen data, including information on “how to gain entry to the homes of 890 people.” Following the breach, those affected were notified, but Advanced Computer Software Group has so far found no evidence that any of the stolen information has shown up on the dark web.

As systems were taken offline by the attack, some GP services were forced to resort to paper notes with some doctors who spoke to the BBC at the time stating that the backlog of paperwork would take months to process.

The ICO stated that the fine was provisional and would wait to make a final decision as it was waiting to hear back from Advanced Computer Software Group.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future," Edwards added. "I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.