Advanced Fined £3 Million Following 2022 Ransomware Attack

Advanced Computer Software Group, a UK-based IT service provider, has been fined £3.07 million due to a ransomware breach that compromised the medical records of over 79,000 patients within the National Health Service (NHS).

The U.K. Information Commissioner’s Office (ICO) imposed the fine on Thursday, citing significant lapses in security protocols that allowed LockBit ransomware operators to exfiltrate sensitive data.

Advanced’s Adastra system, which supports various NHS services including the 111 non-emergency helpline, went offline following the cyberattack in August 2022. This disruption prompted the NHS to implement business continuity measures, temporarily hindering the availability of essential medical services. An anonymous NHS psychiatrist commented to the BBC that the failure to access patient records left their team “making clinical decisions nearly blind.”

The investigation revealed that hackers gained access to Advanced’s systems through an account lacking multifactor authentication (MFA) and identified shortcomings in vulnerability management protocols at the time of the breach. Advanced reported that attackers accessed the system using legitimate third-party credentials to initiate a remote desktop session on the StaffPlan Citrix server, which is critical for managing caregiver schedules.

In terms of the specifics of the data breach, attackers acquired crucial information, including access details for the homes of 890 individuals receiving care, along with patient phone numbers and medical records. Despite the breach, the stolen data has not been publicly disclosed, and the LockBit group did not claim responsibility on dark web platforms. Advanced has refrained from confirming whether a ransom was paid to deter the release of this data but noted that a “limited amount of data” was taken from 16 NHS clients utilizing StaffPlan and Caresys software.

ICO Commissioner John Edwards voiced concern over Advanced’s inadequate security measures, stating, “The security measures of the Advanced subsidiary fell seriously short of what we would expect from an organization processing such a large volume of sensitive information.” The insufficiency of MFA coverage across systems facilitated unauthorized access and placed the personal data of thousands at risk.

Initially, the ICO proposed a £6 million fine; however, this was reduced, acknowledging the company’s remedial actions and cooperative stance with both the ICO and the U.K. National Cyber Security Centre during the incident’s aftermath. The fine was finalized after Advanced opted for a voluntary settlement and confirmed it would not appeal the decision.

An Advanced representative stated that the company is committed to supporting its customers while acknowledging the regrettable nature of the incident. “Cybersecurity is a primary investment across our business, and we have learned a great deal as an organization since this attack,” the spokesperson remarked.

This incident serves as a critical reminder of the importance of robust cybersecurity frameworks, particularly in sectors dealing with sensitive data. The likely tactics employed by adversaries in this attack—such as initial access and privilege escalation as outlined in the MITRE ATT&CK framework—underscore the ongoing threat posed by sophisticated cybercriminals.