An NHS software provider has been fined over £3m by the ICO for failing to protect against a data hack which severely impacted GPs in 2022.
As first revealed by Pulse, parts of the NHS 111 service suffered a ‘total system outage’ during the 2022 cyber attack, and GPs working in urgent care had to share patient records on Word documents.
The Information Commissioner’s Office (ICO) has confirmed that a subsidiary of the company Advanced ‘broke data protection law by failing to fully implement appropriate security measures such as multi-factor authentication coverage’.
According to the ICO, these security failings put the personal information of almost 80,000 people at risk.
The £3.07m fine is part of a voluntary settlement with the company, and is a reduction of the £6.09m fine provisionally announced in August last year.
Since then, Advanced ‘submitted representations’ which showed ‘proactive engagement’ with the NHS and other organisations, and ultimately led to the ICO reducing the fine.
In August 2022, hackers used a customer account, that did not have multi-factor authentication, to access some of Advanced’s systems, including Adastra which is used by NHS 111 services.
The stolen data included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
This ransomware attack caused a ‘total system outage’ at NHS 111 services, and GPs were warned they could see an influx of patients signposted from the service.
Pulse later reported that GPs in urgent care were having to share patient records on Word documents due to the fallout from the cyber attack, since it was considered more of a risk for practices not to see patient information from out-of-hours interactions.
Information commissioner John Edwards said yesterday that Advanced’s security measures ‘fell seriously short’ of what the ICO expects of a company ‘processing such a large volume of sensitive information’.
He continued: ‘People should never have to think twice about whether their medical records are in safe hands.
‘To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.’
Mr Edwards warned that cyber incidents are increasing across all sectors, and said his decision this week is a ‘stark reminder that organisations risk becoming the next target without robust security measures in place’.
A spokesperson for Advanced said the cyber attack in 2022 is ‘wholly regrettable’ and that businesses must ‘ensure their cyber posture is continually strengthened’ as hackers operate with ‘increasing sophistication’.
They continued: ‘Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.
‘We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded.’
