$3 Million Fine for Healthcare MSP with Sloppy Security After Ransomware Attack
A UK firm has been hit by a £3.07 million fine after being struck by a ransomware attack that exposed sensitive data related to almost 80,000 people and disrupted NHS services.
The Information Commissioner's Office (ICO) imposed the fine on Advanced Computer Software Group, a managed service provider, for failing to fully implement security measures such as multi-factor authentication (MFA) coverage prior to the cyber-attack in August 2022. The attack occurred via an account that was not protected with MFA, allowing hackers to gain access to sensitive information.
As a result of the breach, personal details of 79,404 individuals were stolen, including details of how to gain entry into the homes of 890 people who were receiving care at home. The incident also caused disruption to some health services, disrupting their ability to deliver patient care.
The Failure of Advanced to Implement Security Measures
The ICO criticized Advanced for its failure to regularly check for vulnerabilities and keep systems up to date with the latest security patches. This lapse in security measures allowed the hackers to exploit a weakness in the system, resulting in the breach.
"Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care," said UK Information Commissioner John Edwards. "Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations."
The Importance of Prioritizing Information Security
The incident highlights the importance of prioritizing information security, particularly in the healthcare sector where sensitive data is involved. Cybercriminals target healthcare organizations due to the high value of patient data they store, as well as the highly sensitive and confidential nature of this data.
"Protecting this data from unauthorised access, disclosure, or manipulation is paramount to maintaining patient privacy and confidentiality," said Edwards. "Not only does a cyber-attack erode the trust of patients and cause financial losses, it can also - in the worst cases - endanger lives too."
Prevention is Key
The ICO's warning serves as a reminder that prevention is key when it comes to information security. Healthcare organizations must take proactive steps to strengthen their network security, implement strong defences, and regularly update their systems with the latest security patches.
Trusted by 3,000+ organizations and backed by a 96% satisfaction rating, Exponential-e is the go-to partner for healthcare organizations looking to protect their sensitive data from cyber threats. By partnering with Exponential-e, you can rest assured that your organization has the best possible defence against ransomware attacks and other cybersecurity threats.