ICO fines NHS software supplier 3M for ransomware failings The Register

pThe UKs data protection watchdog is dishing out a 307 million 395 million fine to Advanced Computer Software Group whose subsidiarys security failings led to a ransomware attack affecting NHS careppAmong the data pilfered by ransomware crooks were the instructions on how to enter their homes typically meant to be seen only by traveling healthcare professionalsppThis is nearly half the fine the Information Commissioners Office provisionally floated in August last year 609 million 78 million although it said at the time the final sum would depend on what the company did and saidppThe ICO said Advanced settled for the reduced fine after acknowledging the watchdogs decision agreeing to pay up without appealing playing nicely with the NCSC NCA and NHS following the attack as well as taking other steps taken to mitigate related riskppThe Russianspeaking LockBit ransomware gang launched an attack on Advanced Health and Care Limited the IT software and services subsidiary that serves the NHS and other healthcare organizations in August 2022ppA postmortem revealed LockBit first broke in via a customer account that lacked multifactor authentication MFA The ICO cited the gaps in applying MFA policies across the organization lack of vulnerability scanning and inadequate patch management as the primary facilitators of the attackppAs The Register reported at the time the NHSs nonemergency phone operators on the 111 line were forced to operate via pen and paper while other healthcare professionals were unable to access patient records The disruption lingered for weeks and in some cases monthsppIn addition to providing IT services to healthcare organizations Advanced acted as the processor of peoples personal data on behalf of its clients ppIn total 79404 peoples data was stolen Underscoring the severity of the attack the ICO stressed 890 of these individuals were vulnerable people who were receiving care at home ppAmong the data pilfered by ransomware crooks were the instructions on how to enter their homes typically meant to be seen only by traveling healthcare professionalsppJohn Edwards the UKs information commissioner said the security measures at Advanceds health subsidiary fell seriously short of what we would expect from an organization processing such a large volume of sensitive informationppWhile Advanced had installed multifactor authentication across many of its systems the lack of complete coverage meant hackers could gain access putting thousands of peoples sensitive personal information at risk  ppPeople should never have to think twice about whether their medical records are in safe hands To use services with confidence they must be able to trust that every organization coming into contact with their personal information whether thats using it sharing it or storing it on behalf of others is meeting its legal obligations to protect it  ppWith cyber incidents increasing across all sectors my decision today is a stark reminder that organizations risk becoming the next target without robust security measures in place I urge all organizations to ensure that every external connection is secured with MFA today to protect the public and their personal information  there is no excuse for leaving any part of your system vulnerable ppThe fine for Advanceds subsidiary is the largest in almost two years In fact the ICO hasnt fined any organization more than seven figures since TikTok in April 2023 for misusing childrens datappAdvanceds penalty is the sixth highest in ICO history trailing in descending order British Airways Marriott TikTok Clearview blocked and Interserve ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p