The UK Information Commissioner’s Office (ICO, the data protection and information rights regulator) today announced its intention to fine the Advanced Computer Software Group £6.09 million.
The fine relates to an August 2022 ransomware attack against the National Health Service (NHS). Details of 82,946 patients including personal details were exfiltrated, and the 111 (non-emergency) call service disrupted. The stolen details included information on how to gain access to the homes of 890 people being treated at home.
The ICO’s findings are provisional, and no final decision has been made – so the fine can yet be increased, decreased or dismissed. So far, the investigation has concluded that attackers accessed several Advanced health and care systems via a customer account that did not have multi-factor authentication.
Publishing an ‘intention to fine’ serves multiple purposes. One of these is to act as a warning to other organizations. In this case, John Edwards, the UK Information Commissioner, commented: “For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security… We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
The implication is very clear. If you wish to avoid non-compliance, the very least that is required is implementation of MFA, regular vulnerability scans, and an effective patching regime.
MFA is given particular weight. “I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” said Edwards.
Related: Russian Cyber Gang Thought to Be Behind a Ransomware Attack That Hit London Hospitals
Related: Investigation of Russian Hack on London Hospitals May Take Weeks