UK’s watchdog proposes millions in fines following NHS ransomware attack


Following ransomware attacks that disrupted the National Health Service (NHS) and social care services in 2022, the UK’s data protection authority now wants to fine the company that provided the affected IT and software services.

The Information Commissioner’s Office (ICO) imposed a provisional £6 million fine for Advanced Computer Software Group (ACSG).

The ICO found that during a ransomware incident in August 2022, hackers gained initial access to several ACSG health and care systems via a customer account that did not have multi-factor authentication.

ADVERTISEMENT

The cyberattack disrupted critical services, such as NHS 111, and healthcare staff could not access patient records and deliver patient care.

During the attacks, hackers exfiltrated the personal information of 82,946 people, including phone numbers, medical records, and even the details of how to gain entry to the homes of 860 people receiving care at home.

“This incident shows just how important it is to prioritize information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” John Edwards, UK Information Commissioner, said in a statement.

ICO believes that the ACSG is responsible for failing to secure healthcare systems. However, the findings are provisional, and ICO’s final decision will depend on the ACSG's representations.

"For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” Edwards said.

“We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches.”

The commissioner decided to release the non-final decision publicly as a warning to other organizations, hoping it would “help them to secure their systems and avoid similar incidents in the future.”

“I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

ADVERTISEMENT

ICO noted that all data processors, even when acting on their clients' instructions, have their own obligations to secure personal information. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing MFA, and keeping systems updated.