U.K. data protection authorities have issued a provisional fine of more than £6 million to NHS vendor Advanced after finding that the company failed to properly secure the information of thousands of people later stolen in a ransomware attack.
In a statement, the U.K. Information Commissioner’s office said it issued the fine after determining that the cybercriminals behind the August 2022 ransomware attack “initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.”
The cyberattack on Advanced led to widespread disruption to NHS services across the United Kingdom at the time, causing outages at the NHS non-emergency 111 line and forcing hospitals and medical practices to resort to pen and paper for weeks. Physicians at affected NHS trusts reported that they could not access patient records.
Mandiant, the incident response firm that helped to investigate the hack, said malware used by the LockBit ransomware gang was used in the attack; though, LockBit never publicly claimed responsibility for the cyberattack on its dark web leak site. That can be an indication that a hacked company may have paid a ransom. Advanced previously declined to say if it had paid one.
By October 2022, Advanced said in its post-incident report that the cybercriminals broke into Advanced’s network “using legitimate third-party credentials,” implying that there was no multi-factor authentication on the account.
Now the ICO appears to be confirming that.
The ICO said it’s provisionally issuing a fine of £6.09 million ($ 7.75m) after the watchdog said Advanced provisionally “breached data protection law in failing to implement appropriate security measures prior to the attack to protect the personal information it was processing.”
The watchdog also confirmed that the cyberattack led to the theft of close to 83,000 people in the United Kingdom, including phone numbers and medical records, and details of “how to gain entry to the homes of 890 people who were receiving care at home,” the ICO said.
The fine is provisional, the watchdog said, meaning the penalty may change. ICO Commissioner John Edwards said the watchdog made the decision to go public in this case in part to “avoid similar incidents in the future.”
“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” said Edwards.
Spokespeople for Advanced did not respond to a request for comment prior to publication.