Advanced Fined 3 Million Pounds Over 2022 Ransomware Hack

A British IT service company must pay a 3.07 million pound fine for a 2022 ransomware hack that exposed medical records of tens of thousands of National Health Service patients.

See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.

On Thursday, the U.K. Information Commissioner’s Office fined Advanced Computer Software Group for security negligence that resulted in operators of LockBit ransomware stealing information of 79,404 individuals.

The Birmingham-based technology provider’s Adastra system underpins the NHS 111 medical non-emergency helpline and other healthcare services. Hackers caused the system to go offline in August 2022, forcing NHS to activate business continuity processes, leaving some medical services temporarily unavailable. A NHS psychiatrist, who asked to remain anonymous, told the BBC the incident left his team “making clinical decisions nearly blind” because the incident left healthcare staff unable to access patient records.

An ICO investigation by the agency found hackers breached the Advanced system through a user account that did not have multifactor authentication in place. The company also lacked adequate vulnerability scanning and patch management programs during the time of the hack. Advanced disclosed in September 2022 that attackers gained access through legitimate third-party credentials to start up a remote desktop session to the company’s StaffPlan Citrix server, a system used to schedule caregiver shifts.

Information accessed by the attackers included details on how to gain entry into the homes of 890 people who were receiving care at home, phone numbers and medical records of patients. Hackers did not publish the stolen data and LockBit never claimed responsibility on its darkweb leak. Advanced has declined to state whether or not it paid extortion money to keep LockBit hackers from making the data public. The company said hackers copied and stole a “limited amount of data” collected by 16 NHS customers of StaffPlan and Caresys, a home care management software package.

“The security measures of Advanced subsidiary fell seriously short of what we would expect from an organization processing such a large volume of sensitive information,” ICO Commissioner John Edwards said. “While Advanced had installed multifactor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

The ICO last year proposed a fine of 6 million pounds but brought the amount down, citing remedial actions taken by Advanced and the company’s close cooperation with the ICO and the U.K. National Cyber Security Centre for incident response (see: UK’s Advanced Faces 6M Pound Fine After LockBit Attack).

Thursday’s fine was imposed after Advanced reached a voluntary settlement. The company will not be appealing the decision, the ICO said.

An Advanced spokesperson said the company remained “steadfast on supporting its customers.”

“What happened over two and a half years ago is wholly regrettable. Cybersecurity is a primary investment across our business, and we have learned a great deal as an organization since this attack,” the spokesperson said.