Watchdog to fine NHS IT firm £6m after medical records hack

Watchdog to fine NHS IT firm £6m after medical records hack

Getty Images

The Information Commissioner’s Office (ICO) has provisionally imposed a £6m fine on an NHS software provider over a data breach which affected more than 80,000 people.

The breach took place in 2022 and included sensitive personal information including medical records and “how to gain entry to the homes of 890 people”.

But the ICO stressed it was a provisional fine, and it would wait to hear from Advanced Computer Software Group before making a final decision.

It said its initial findings were that personal information belonging to 82,946 people had been “exfiltrated” by hackers.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care,” said John Edwards, the Information Commissioner.

“A sector already under pressure was put under further strain due to this incident.”

The ICO said people who had been affected by the hack had been notified, and Advanced had not been able to find evidence that information had been leaked on the dark web.

Criminal hackers took offline seven of Advanced’s health systems, including software used for patient check-ins, medical notes and the NHS 111 service.

Doctors told the BBC at the time it could take months to process mounting piles of medical paperwork caused by the cyber-attack.

It left some GP services forced to take notes using pen and paper rather than using electronic systems.

BBC/Fay WilsonCare notes piled up on pieces of paper in one surgery after the cyber-attack

The hackers were able to gain access to the information by using a customer’s account which did not have sufficient protection.

But the ICO says it believed Advanced should have implemented measures to protect against this vulnerability.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future,” said Mr Edwards.

“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”