Advanced Computer Software Group, an IT and software services company in England, is facing a £6.09 million ($7.74 million) financial penalty because of a ransomware attack in August 2022 that caused problems to healthcare and social care organizations in the United Kingdom. The Information Commissioners Office (ICO), the UK’s data watchdog, looked into the attack and revealed its investigation provisional conclusions and the recommended financial penalty.
Advanced Computer Software Group provides the National Health Service (NHS) and other U.K. healthcare organizations with IT and software services. ICO determined that the software services company did not use enough measures to safeguard the personal data of 82,946 individuals, whose information was stolen during the ransomware attack. The stolen information contained names, contact details, and health records, which are considered PHI in the U.S. About 900 of the impacted persons were getting home healthcare services and had provided information about accessing their homes to the provider. That data was likewise stolen during the attack.
The attack resulted in extensive disruption, which included the telephone services of NHS 111. People contact this service for assistance on emergency medical concerns. Software solutions offered by the Advanced Computer Software Group were taken off the internet due to the attack. Therefore, healthcare employees could not access patient records and had difficulty delivering healthcare services.
Like the case of the Change Healthcare ransomware attack in February 2024, the ransomware group got access to the company’s internal systems through an account without multi-factor authentication installed. The absence of multifactor authentication was taken advantage of, and the hackers acquired access to some systems of Advanced Computer Software.
UK Information Commissioner John Edwards stated that the reputable company handling a substantial volume of sensitive and special category information had failed in its strategy for data security before this incident. Despite having set measures in its company systems, ICO found that Advanced did keep its healthcare systems protected. All companies can take basic steps to protect their systems, including consistently tracking for vulnerabilities, applying multi-factor authentication, and updating systems using the newest security patches.
This is just ICO’s provisional finding and Advanced Computer Software still has the chance to reply. The decision to enforce a penalty doesn’t mean a violation of any data protection legislation. It also doesn’t mean that a financial penalty will be enforced at the final decision of the ICO. The choice to publish the provisional findings of ICO’s investigation was to warn other companies about the steps they must take to prevent the same incidents later on, which include ensuring that multifactor authentication is applied to all external associations.