Reduced fine of £3m imposed on Advanced following cyber attack

The Information Commissioner’s Office (ICO) has reduced the fine imposed on Advanced to £3.07 million for security failings that put the personal information of almost 80,000 people at risk.

The fine, which is the first the regulator has issued to a data processor, relates to a ransomware incident in August 2022. Hackers accessed systems belonging to Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA) in place.

The cyber attack disrupted critical services such as NHS 111, while other healthcare staff were unable to access patient records.

The investigation found that personal information belonging to 79,404 people was compromised, including details of how to gain entry into the homes of 890 people who were receiving care at home.

The ICO’s investigation concluded that Advanced’s health and care subsidiary did not have appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the incident, including gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.

John Edwards, information commissioner, said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.

“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.”

The ICO announced its provisional intention to fine Advanced £6.09m in August 2024.

Advanced then submitted representations on the provisional decision, which were considered by the ICO.

Several factors from these representations led to a reduction in the fine, including Advanced’s proactive engagement with the National Cyber Security Centre, the National Crime Agency and the NHS in the wake of the attack, as well as other steps taken by the company to mitigate the risk to those impacted.

The ICO and Advanced have now agreed a voluntary settlement. Advanced has acknowledged the ICO’s decision to impose a reduced fine and agreed to pay a final penalty of £3,076,320 without appealing.

Edwards added: “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place.

“I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable.

“I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”

An Advanced spokesperson told Digital Health News: “What happened over two and a half years ago is wholly regrettable.

“With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.

“We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals.”