Watchdog to fine NHS IT firm £6m after medical records hack
- Published
The Information Commissioner's Office (ICO) has provisionally imposed a £6m fine on an NHS software provider over a data breach which affected more than 80,000 people.
The breach took place in 2022 and included sensitive personal information including medical records and "how to gain entry to the homes of 890 people".
But the ICO stressed it was a provisional fine, and it would wait to hear from Advanced Computer Software Group before making a final decision.
It said its initial findings were that personal information belonging to 82,946 people had been "exfiltrated" by hackers.
"Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care," said John Edwards, the Information Commissioner.
"A sector already under pressure was put under further strain due to this incident."
The ICO said people who had been affected by the hack had been notified, and Advanced had not been able to find evidence that information had been leaked on the dark web.
Criminal hackers took offline seven of Advanced's health systems, including software used for patient check-ins, medical notes and the NHS 111 service.
Doctors told the BBC at the time it could take months to process mounting piles of medical paperwork caused by the cyber-attack.
It left some GP services forced to take notes using pen and paper rather than using electronic systems.
The hackers were able to gain access to the information by using a customer's account which did not have sufficient protection.
But the ICO says it believed Advanced should have implemented measures to protect against this vulnerability.
“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future," said Mr Edwards.
"I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
Lauren Wills-Dixon, solicitor and head of privacy at law firm Gordons, agreed.
“The scale of this potential ICO enforcement is another reminder to any organisation, particularly those processing special category or "sensitive" data on behalf of customers (such as health data) which is given special protection under data protection laws, that they must have robust security measures in place to protect their systems and data", she told the BBC.
“Such measures would typically include investing in appropriate technical and organisational measures, implementing robust IT infrastructure and monitoring/detection, developing effective policies, procedures and training, as well as creating, maintaining and testing a business continuity and disaster recovery plan."