The British data protection authority has imposed a preliminary penalty exceeding £6 million on NHS provider Advanced, due to the company’s inability to adequately protect thousands of individuals’ data subsequently compromised in a ransomware assault.
The U.K. Information Commissioner’s Office announced the penalty following its conclusion that the culprits of the ransomware attack in August 2022 were able to infiltrate several of Advanced’s systems managing health and care by exploiting a client account lacking multi-factor authentication.
This cyber intrusion significantly disrupted National Health Service (NHS) operations throughout the U.K., affecting the non-emergency 111 hotline and compelling numerous hospitals and medical clinics to revert to manual record-keeping for an extended period. NHS trust physicians reported an inability to retrieve patient files.
Mandiant, the cybersecurity firm enlisted to assess the breach, found that the attack employed malware attributed to the LockBit ransomware group. However, LockBit did not officially acknowledge the attack on its hidden web portal, hinting at the possibility that a ransom may have been paid. Advanced has remained silent on whether it met any ransom demands.
By October 2022, Advanced disclosed in its analysis of the incident that the attackers gained entry into its network by “using legitimate third-party credentials,” which suggests the absence of multi-factor authentication on the compromised account.
This assessment has now received confirmation from the ICO.
The ICO is provisionally levying a fine of £6.09 million ($7.75m), accusing Advanced of “provisionally breaching data protection laws by not establishing adequate safeguards before the attack to protect the personal data under its care,” according to the regulatory body.
Furthermore, the ICO revealed that the cyberattack resulted in the theft of personal data from approximately 83,000 U.K. residents, including contact numbers and medical histories, as well as information on “how to enter the residences of 890 individuals receiving at-home care,” as per the ICO’s statement.
The imposed fine remains temporary, with the potential for adjustments, the regulatory body noted. ICO Commissioner John Edwards highlighted the publication of this case as a deterrent to prevent future occurrences.
“I strongly encourage all organizations, particularly those handling sensitive health information, to immediately enhance their external security protocols with multi-factor authentication,” Edwards urged.
As of this writing, Advanced’s representatives have not commented on the matter.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
