NHS England has been making headlines since 2017 due to ongoing cyber attacks and ransomware incidents. Recently, the non-profit organization is in the news again, this time because of a £6 million fine related to a 2022 ransomware attack that severely disrupted its digital and social services.
The penalty, imposed by the Information Commissioner’s Office (ICO), was directed at Advanced Computer Software Group, the technology service provider for NHS England. The fine was issued because Advanced Computer Software Group failed to safeguard user data during the attack, which resulted in significant data breaches.
Although Advanced Computer Software Group initially sought to shift the blame to NHS England by requesting that the penalty be shared, the ICO denied this request. The ICO clarified that NHS England had outsourced its tech services to the company and was not responsible for the data protection failures.
The attack led to hackers gaining access to NHS’s database, causing the theft of millions of medical records and impacting patient care. The penalty was imposed on Advanced Computer Software Group because it had not implemented crucial multi-factor authentication on its servers.
John Edwards, the Information Commissioner, stated that this incident should serve as a wake-up call for businesses in the UK, highlighting the critical need for investment in cybersecurity.
Earlier this year, NHS England faced another cyber threat from RansomHub, a rebranded ransomware group previously known as Knight. This attack involved file-encrypting malware rented from another criminal organization, Cyclops, which operates on a Ransomware-as-a-Service model. The target in this case was Synnovis, a technology provider that had been working with NHS for 18 months.
Security experts anticipate that Synnovis could face a significant fine as well if it is found to have neglected essential security measures needed to protect NHS’s medical data.