Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎08-07-2024 10:59 PM
‎08-07-2024 10:59 PM

ICO Privacy Commissioners Office UK

Hi All

 

NEW: A software supplier for the National Health System (NHS) and social care sector could face a £6,090,000 fine following ransomware attack that disrupted NHS services.

The provisional decision to issue a fine relates to a ransomware incident in August 2022. We have provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor.

We have provisionally found that personal information belonging to 82,946 people was exfiltrated during the attack. Reports at the time of the attack suggest staff were unable to access patient records and disruptions to critical services such as NHS 111. The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.

The Commissioner’s findings are provisional, and he will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.

💡 What can processors learn from this case?

Data processors act on the instructions of their clients, the data controllers, who have overall control over how and why personal information is used. However, data processors, such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

We have detailed guidance to support organisations to protect their systems from ransomware attacks: https://lnkd.in/eK4S_Vbu

And guidance on the responsibilities and liabilities of both data processors and controllers: https://lnkd.in/dkJ8zCyd

 

https://www.linkedin.com/posts/information-commissioner%27s-office_new-a-software-supplier-for-the-n...

 

Regards

 

Caute_Cautim

Reply
0 Kudos
0 Replies