Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office (ICO) has imposed a £6.09 million fine on software provider Advanced following an initial finding that it failed to implement measures to protect the personal information of almost 83,000 people.

A number of health and care systems delivered by Advanced first experienced major outages on 4 August 2022, disrupting several critical services such as NHS 111, with other healthcare staff unable to access patient records.

It was then confirmed in October 2022 that client data was accessed and extracted by hackers during the incident, with the variant of malware used by the perpetrators being LockBit 3.0.

In a statement published today (7 August 2024), the ICO confirm that provisional findings show that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.

Personal information, some of which is considered sensitive, belonging to 82,946 people was exfiltrated, including phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.

John Edwards, UK information commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.”

The Commissioner’s findings are provisional, the ICO make clear, therefore no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed.

Edwards will carefully consider any representations Advanced make before making a final decision, the ICO also confirm, with the fine amount subject to change.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure,” Edwards added.

“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.

“I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

A spokesperson for Advanced, now OneAdvanced, said: “Upon detecting suspicious cyber activity in August 2022, we promptly isolated certain systems leading to a temporary loss of service for some customers.

“Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time. These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total.

“We supported customers throughout the incident and can confirm that no data was ever made available publicly. Patient data controlled by NHS trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse. There was no impact to any of Advanced’s other customer-serving systems.”

“We have cooperated fully with the ICO investigation over the past two years and will respond to their provisional findings, detailing a comprehensive response ahead of a final decision being made,” the statement added.