U.Ok. knowledge safety authorities have issued a provisional effective of greater than £6 million to NHS vendor Advanced after discovering that the corporate did not correctly safe the data of hundreds of individuals later stolen in a ransomware assault.
In a press release, the U.Ok. Information Commissioner’s workplace (ICO) stated it issued the effective after figuring out that the cybercriminals behind the August 2022 ransomware assault “initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.”
The cyberattack on Advanced led to widespread disruption to NHS providers throughout the United Kingdom on the time, inflicting outages on the NHS non-emergency 111 line and forcing hospitals and medical practices to resort to pen and paper for weeks. Physicians at affected NHS trusts reported that they may not entry affected person data.
Mandiant, the incident response agency that helped to analyze the hack, stated malware utilized by the LockBit ransomware gang was used within the assault; although, LockBit by no means publicly claimed duty for the cyberattack on its darkish internet leak web site. That might be a sign {that a} hacked firm could have paid a ransom. Advanced beforehand declined to say if it had paid one.
By October 2022, Advanced stated in its post-incident report that the cybercriminals broke into Advanced’s community “using legitimate third-party credentials,” implying that there was no multi-factor authentication on the account.
Now the ICO seems to be confirming that.
The ICO stated it’s provisionally issuing a effective of £6.09 million ($7.75 million) after the watchdog stated Advanced provisionally “breached data protection law in failing to implement appropriate security measures prior to the attack to protect the personal information it was processing.”
The watchdog additionally confirmed that the cyberattack led to the theft of information of near 83,000 folks within the United Kingdom, together with telephone numbers and medical data, and particulars of “how to gain entry to the homes of 890 people who were receiving care at home,” the ICO stated.
The effective is provisional, the watchdog stated, which means the penalty could change. ICO Commissioner John Edwards stated the watchdog made the choice to go public on this case partly to “avoid similar incidents in the future.”
“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” stated Edwards.
Spokespeople for Advanced didn’t reply to a request for remark previous to publication.
