NHS IT firm set for major fine following medical records hack

NHS
Image credit: Shutterstock (Image credit: Shutterstock)

An NHS software provider has been hit by a provisional fine of £6m by the Information Commissioner's Office (ICO) following a serious data breach.

Advanced Computer Software Group was hit by a cyberattack in October 2022 which took down NHS systems for patient check-ins, medical notes and the NHS 111 non-emergency service.

In total, the personal information of 82,946 people was stolen by the attackers.

Provisional fine

John Edwards, the Information Commissioner, said, "Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident."

The attackers gained access to sensitive information by using a poorly protected customer account. Patient medical records were among the stolen data, including information on “how to gain entry to the homes of 890 people.” Following the breach, those affected were notified, but Advanced Computer Software Group has so far found no evidence that any of the stolen information has shown up on the dark web.

As systems were taken offline by the attack, some GP services were forced to resort to paper notes with some doctors who spoke to the BBC at the time stating that the backlog of paperwork would take months to process.

The ICO stated that the fine was provisional and would wait to make a final decision as it was waiting to hear back from Advanced Computer Software Group.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future," Edwards added. "I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.