ICO fines NHS IT supplier £3m over 2022 ransomware attack

The supply chain attack shut down NHS 111 and other services for months

The UK’s data regular has fined an IT supplier more than £3 million for a ransomware attack on its subsidiary in 2022, which affected NHS services across the country.

The Information Commissioner’s Office has levelled a £3.07 million fine against Advanced Computer Software Group Ltd (Advanced), as punishment for a successful ransomware attack that crippled the NHS three years ago.

The attack affected NHS services across the UK for weeks, disrupting services like NHS 111 and leaving staff unable to access care records.

The fine is the first the ICO has levelled against a data processor – that is, an entity that processes data on behalf of a data controller. In this case, the data controller was the NHS.

Advanced provides IT and software services to several customers, including the health service, processing people’s personal information on their behalf.

Security failings enabled hackers to access systems at Advanced’s health and care subsidiary. As a result, personal information belonging to more than 79,000 people was taken – including information on how to access 890 people’s homes who were receiving care there, rather than at a hospital.

The attackers accessed the subsidiary through a customer account without MFA protection. The ICO has concluded Advanced’s subsidiary lacked the appropriate technical and organisational measures to keep its systems fully secure – including not just gaps in MFA deployment, but a lack of comprehensive vulnerability scanning and inadequate patch management.

The UK’s Information Commissioner, John Edwards, said:

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information... People should never have to think twice about whether their medical records are in safe hands.”

He added, “I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

The fine represents almost a halving from the initially proposed £6.09 million action the ICO announced in August last year.

Advanced submitted additional representation after that announcement. That, along with its engagement with the NCSC, NCA and NHS in the wake of the attack, resulted in the fine’s reduction.

Commenting on the fine Trevor Dearing, director of critical infrastructure at Illumio, said it should “serve as a wake-up call to all businesses that they cannot afford to neglect the basics,” and it should be a reminder "not to blindly trust suppliers’ security.”

“Recent research from the Ponemon Institute shows that less than half of UK businesses worry about ransomware risks from the supply chain, but the threats are rising. Complacency and overconfidence lead to successful attacks, and in today’s economy, no business can afford to lose money to cybercriminals or regulators.”