The UK Information Commissioner’s Office (ICO) has provisionally decided to fine IT services firm Advanced £6.09m, after it failed to protect health records for almost 83,000 people.
Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor.
The provisional decision to issue a fine relates to a ransomware incident in August 2022, where hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.
The cyber attack was widely reported at the time of the incident, with reports of disruption to critical services, and healthcare staff unable to access patient records.
The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
The Commissioner will consider any representations Advanced makes before making a final decision, with the fine amount also subject to change.