The Information Commissioner’s Office (ICO) announced today (7 August) that it has provisionally decided to fine Advanced £6.09m, following a healthcare-based ransomware attack in August 2022. However, the ICO statement also warns that its findings are provisional, and that no conclusions should be drawn at this stage as to whether there has been a breach of data protection law or that a financial penalty will ultimately be imposed. Advanced provides IT and software services to sectors outside of legal including the NHS and other healthcare providers, and the ransomware attack didn’t impact legal customers.
The ICO’s initial findings are that hackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. It claims that Advanced failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.
The ICO says in its statement today that the data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. People impacted have been notified, and Advanced found no evidence that any data was published on the dark web.
John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.”
He added: “For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
An Advanced spokesperson told Legal IT Insider: “In August 2022, we informed the Information Commissioner’s Office (ICO) that Advanced Health and Care Ltd had been the target of a ransomware attack. Following a review by the ICO, it has issued a Notification of Intent (NOI), setting out its provisional findings in relation to the matter and inviting Advanced to make representation in relation to this.
“Upon detecting suspicious cyber activity in August 2022, we promptly isolated certain systems leading to a temporary loss of service for some customers. Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time. These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total.
“We supported customers throughout the incident and can confirm that no data was ever made available publicly. Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse. There was no impact to any of Advanced’s other customer-serving systems.
“We apologise to our customers. It is wholly regrettable that threat actors disrupted our services in this incident. We value our customers in the healthcare sector and take our responsibility to them and their patients and communities very seriously. Cybersecurity continues to be a primary investment throughout our business, we continue to adapt and evolve our response to the ever-changing cybersecurity threats and challenges.”
Advanced says that it has cooperated fully with the ICO investigation over the past two years and will respond to their provisional findings, detailing a comprehensive response ahead of a final decision being made. “Since the incident in August 2022, we have continued to transform our business and are a more secure and resilient company than we were two years ago,” the spokesperson said.
This is not the first time that the ICO has announced a provisional decision ahead of a final judgment. Edwards said that he is choosing to publicise this provisional decision today out of a duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future.
Other recent provisional fines were Tiktok and Clearview AI. Tiktok was provisionally fined £27m, which in reality dropped to £12.7m in April 2023, while Clearview AI was threatened with a fine of £17m and received a fine of £7.5m in May 2022. Clearview AI, which is a facial recognition company, won on appeal in October last year.