UK data watchdog fines NHS vendor Advanced over LockBit ransomware vulnerabilities

UK data protection authorities have imposed an interim advantageous of greater than £6 million on UK healthcare software provider Advanced after finding that the corporate did not properly secure the data of hundreds of individuals which was later stolen in a ransomware attack.

The UK Information Commissioner’s Office said in a press release that it imposed the advantageous after determining that the cybercriminals behind the August 2022 ransomware attack “initially gained access to a number of Advanced Healthcare systems via a customer account that did not have multi-factor authentication.”

The cyberattack on Advanced then led to widespread disruption to NHS services across the UK, causing disruptions to the non-emergency NHS 111 line and forcing hospitals and GP surgeries to make use of pen and paper for weeks. Doctors at affected NHS trusts reported that unable to access medical records.

Mandiant, an incident response firm that helped investigate the hack, said the attack used malware utilized by the LockBit ransomware gang; nevertheless, LockBit has never publicly claimed responsibility for the cyberattack on its leaked dark web page. That may very well be a clue that the hacked company can have paid a ransom. Advanced has previously declined to say whether it paid the ransom.

According to Advanced, by October 2022. within the post-incident report that cybercriminals hacked into Advanced’s network “using legitimate third-party credentials,” suggesting the account didn’t have multi-factor authentication.

Now the ICO seems to verify this.

The ICO announced the provisional advantageous of £6.09 million ($7.75 million) after the watchdog found that Advanced had temporarily “infringed data protection law by failing to implement appropriate security measures against an attack to protect the personal information it processed”.

The watchdog also confirmed that the cyberattack led to the theft of data from almost 83,000 people within the UK, including phone numbers and medical records, in addition to details “of how to access the homes of 890 people receiving care at home”, the ICO said.

The advantageous is provisional, the watchdog said, meaning the penalty may very well be modified. ICO commissioner John Edwards said the watchdog made the choice to make the matter public partly to “avoid similar incidents in the future”.

“I urge all organizations, especially those handling sensitive health data, to urgently secure their external connections with multi-factor authentication,” Edwards said.

Spokespeople for Advanced didn’t reply to a request for comment before publication.