A supplier has been issued with a £3m fine by the Information Commissioner’s Office over security failings that led to a major cyber attack in 2022, HSJ has reported.
Personal data belonging to almost 80,000 people was stolen and several trusts were left without access to their electronic patient records when hackers targeted IT supplier Advanced – which is now known as OneAdvanced – in August 2022.
The data extracted included information on how to gain entry to the properties of 890 people who were receiving care at home.
The supplier was provisionally fined £6m in August 2024, but this has since been halved as part of a voluntary settlement after the ICO considered representations made by the company, taking into account the supplier’s “proactive engagement” with national cyber security bodies and the NHS. The fine marks the first time the ICO has taken action against an NHS data processor.
At the time of the attack, 85 per cent of the NHS 111 service used the Adastra system supplied by Advanced, which experienced a “total system outage”. Around a dozen community and mental health trusts were using its Carenotes EPR.
The ICO found that the supplier broke data protection laws by failing to have appropriate security measures in place, such as multifactor authentication. The lack of multifactor authentication was also behind last year’s attack on the Synnovis pathology system in south London.
Date: 31 March