Friday, November 15, 2024

NHS software provider faces £6m fine after hackers steal tens of thousands of medical records

Must read

A major NHS IT provider faces a penalty of just over £6m for failures which led to a cyber attack and the theft of nearly 83,000 medical records.

The Information Commissioner’s Office (ICO) has been investigating Advanced, which supplies vital systems for the health service, since the breach on 4 August 2022.

The cyber attack had wide-ranging implications, affecting the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions.

In a provisional ruling, the ICO says the software provider breached data protection law by failing to secure personal information belonging to 82,946 people.

Their records were stolen in a ransomware attack by hackers who gained entry to Advanced’s computer systems using an account which did not have multi-factor authentication (MFA).

Typically MFA would prevent cyber criminals from using stolen passwords to secure access.

The data included sensitive information, phone numbers, medical records and information about how to gain entry to the properties of 890 people receiving care at home.

Read more from Sky News:
Electoral Commission criticised for cyber security failings
Stolen NHS data ‘published online’ by hackers

The disruption affected critical services such as NHS 111 and meant other healthcare staff were unable to access patient records.

People affected by the breach have been notified, and there is no evidence any data was published on the dark web.

The ICO has provisionally decided to impose a fine of £6.09m but the final ruling, and any penalty, will depend on the response from Advanced.

John Edwards, UK Information Commissioner, said: “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security.”

Advanced released an update following the data breach confirming patient information was copied from their systems before being encrypted.

Typically ransomware attacks involve scrambling victims’ data and making it inaccessible unless they pay up.

What is ransomware?

Ransom malware – or ransomware – is malware that locks users out of their system and demands a ransom payment in order to get back in.

The malware dates back to the late 1980s and has been the subject of several high profile incidents in recent years.

Nowadays ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organisations of all kinds.

The targets can be individual users or – as it seems is the case this time – larger organisations relied upon by millions of people.

So how does ransomware lock up people’s systems?

First the hacker or threat actor needs to gain access to a device or network.

Having this access means they can use the malware to encrypt your device and data so they cannot be accessed.

Once that’s done, the user will see a message demanding a payment in return for restoring access to their files or system.

The ransomware attack in 2022 led the Welsh Ambulance Service to declare a “major outage” of the system used to refer patients from 111 to out-of-hours GP providers.

It said the issue had affected all four nations in the UK.

In 2018, the NHS was severely affected by the WannaCry cyber attack, leading to thousands of cancelled appointments at a cost of nearly £100m.

Latest article