When the Information Commissioner fined Advanced Computer Software Group £3.07m for security failings last month, it marked the culmination of a two-year investigation into one of the NHS's most disruptive cyber incidents. The ransomware attack exposed the personal information of nearly 80,000 people, as well as leaving healthcare staff unable to access patient records. Most alarming was the theft of data revealing how to enter the homes of 890 vulnerable individuals receiving care.
The attack's entry point could hardly have been more basic: Advanced's health and care systems were hacked through a customer account lacking multi-factor authentication. An investigation revealed a long list of security shortcomings – inadequate vulnerability scanning, poor patch management, and inconsistent deployment of basic protections that might have prevented the breach.
Could the penalty have been even higher? The ICO certainly thought so, announcing a provisional intention to fine Advanced £6.09m back in August. The company's swift engagement with the National Cyber Security Centre, National Crime Agency and NHS following the attack helped halve that figure. Now, Advanced has agreed to a voluntary settlement, paying the reduced penalty without appeal – a quiet end to a case that exposed just how vulnerable our healthcare data infrastructure remains due to insufficient data protection compliance. The question is whether other NHS suppliers are taking note. Privacy is important - and robust security is the gateway to good privacy.
