A major NHS IT provider faces a penalty of just over £6m for failures which led to a cyber attack and the theft of nearly 83,000 medical records.
The Information Commissioner’s Office (ICO) has been investigating Advanced, which supplies vital systems for the health service, since the breach on 4 August 2022.
The cyber attack had wide-ranging implications, affecting the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions.
In a provisional ruling, the ICO says the software provider breached data protection law by failing to secure personal information belonging to 82,946 people.
Their records were stolen in a ransomware attack by hackers who gained entry to Advanced’s computer systems using an account which did not have multi-factor authentication (MFA).
Typically MFA would prevent cyber criminals from using stolen passwords to secure access.
The data included sensitive information, phone numbers, medical records and information about how to gain entry to the properties of 890 people receiving care at home.
The disruption affected critical services such as NHS 111 and meant other healthcare staff were unable to access patient records.
People affected by the breach have been notified, and there is no evidence any data was published on the dark web.
The ICO has provisionally decided to impose a fine of £6.09m but the final ruling, and any penalty, will depend on the response from Advanced.
John Edwards, UK Information Commissioner, said: “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services.
“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security.”
Advanced released an update following the data breach confirming patient information was copied from their systems before being encrypted.
Typically ransomware attacks involve scrambling victims’ data and making it inaccessible unless they pay up.
The ransomware attack in 2022 led the Welsh Ambulance Service to declare a “major outage” of the system used to refer patients from 111 to out-of-hours GP providers.
It said the issue had affected all four nations in the UK.
In 2018, the NHS was severely affected by the WannaCry cyber attack, leading to thousands of cancelled appointments at a cost of nearly £100m.