NHS Supplier Fined £6M for Data Breach After Ransomware Attack

British regulators have imposed a preliminary fine exceeding £6 million on Advanced, a service provider for the National Health Service (NHS). The company failed to adequately protect the information of thousands of individuals, leading to a data breach resulting from a ransomware attack.

During the attack, perpetrators gained access to several Advanced systems through a client account that lacked multi-factor authentication. The cyberattack, which occurred in August 2022, caused significant disruptions to NHS operations across the United Kingdom. Services, including the NHS 111 emergency line, were taken offline, and many hospitals and medical facilities were forced to revert to using pen and paper. Doctors in the affected NHS departments reported being unable to access patient medical records.

An investigation by Mandiant revealed that the attack employed LockBit malware. However, the LockBit group did not publicly claim responsibility for the cyberattack, which may suggest that Advanced paid a ransom to the extortionists. Previously, the company declined to disclose whether a ransom had been paid.

In October 2022, Advanced stated that cybercriminals had infiltrated its network using legitimate third-party credentials, further indicating the absence of multi-factor authentication. The Information Commissioner’s Office (ICO) has now confirmed this fact.

The ICO announced a preliminary fine of £6.09 million (approximately $7.75 million) for breaching data protection law, citing the failure to implement adequate security measures to protect personal information before the attack.

The regulatory body also confirmed that the cyberattack resulted in the theft of data belonging to nearly 83,000 people in the UK, including phone numbers, medical records, and details on how to access the homes of 890 individuals receiving home care. The affected individuals were notified, and Advanced found no evidence that the data had been published on the dark web.

The fine is provisional, meaning the amount could change. The ICO stated that the decision to publicize the case was partly to prevent similar incidents in the future. The agency urged all organizations, especially those handling sensitive health data, to urgently implement multi-factor authentication.

Representatives of Advanced declined to comment.

Related Posts:

• Researchers discover the first IoT worm that capable of surviving device reboots
• National Health Service (NHS) system encounters mysterious failure, local health care facilities plunged into chaos
• NHS England Digital Warns of Exploited Vulnerabilities in Arcserve UDP
• NHS England Issues Cyber Alert for Exploited CVE-2023-6548 Vulnerability in NetScaler Devices