TechCrunch reports that Advanced Computer Software Group, a vendor of the UK's National Health Service, has been subjected to a $7.75 million provisional fine from the Information Commissioner's Office following its failure to defend information belonging to nearly 83,000 individuals from being stolen in a LockBit ransomware attack in August 2022.
Infiltration of several Advanced health and care systems through a customer account without multi-factor authentication resulted in the widespread disruption of NHS services that lasted for weeks, according to the ICO. Advanced has "breached data protection law in failing to implement appropriate security measures prior to the attack to protect the personal information it was processing," noted the ICO. Further changes to the penalty are likely due to its provisional nature, with ICO Commissioner John Edwards stating that the fine has been publicized to avoid similar incidents while emphasizing the importance of immediate MFA adoption among organizations storing and managing health data.
