Today, the UK’s Information Commissioner’s Office (ICO) imposed a £3.07 million fine on Advanced Computer Software Group, now known as OneAdvanced, due to significant cyber security issues that worsened the effects of a LockBit ransomware attack in August 2022.
During the attack, vital services for Advanced’s clients, including NHS and various healthcare providers, faced severe disruptions. Access to the Adastra clinical patient management platform was lost, affecting the frontline 111 service, ambulance dispatch, out-of-hours patient services, and emergency prescriptions. The ICO revealed that the attack exploited a customer account lacking multifactor authentication (MFA), resulting in the theft of data from over 79,000 individuals, including sensitive details about 890 people receiving home care.
The ICO highlighted that Advanced’s health and care subsidiary failed to implement adequate technical and organizational measures to secure its IT systems. The agency pointed out not only the absence of MFA but also shortcomings in vulnerability scanning and patch management. Information commissioner John Edwards emphasized the seriousness of the situation, noting that the company’s security practices did not meet acceptable standards for managing large amounts of sensitive data. He stated, “People should never have to think twice about whether their medical records are in safe hands.”
In light of rising cyber incidents across all sectors, Edwards urged organizations to ensure that every external connection is secured with MFA. He made it clear there’s no justification for leaving any part of the system open to threats.
Though the £3.07 million fine is significant—about half of what was originally considered—this marks the ICO’s first financial penalty against a data processor under UK data protection law. The reduced amount reflects Advanced’s cooperation during the investigation, including collaboration with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).
Advanced has agreed to a voluntary settlement and will accept the fine without appeal. The ICO expressed satisfaction with this resolution, as it promotes regulatory clarity while avoiding the additional costs and delays associated with a prolonged appeal process.
The ICO cautioned other organizations to take assertive actions to tackle risks that allow ransomware groups like LockBit to thrive. Key recommendations include implementing MFA universally and promptly addressing system vulnerabilities.
An Advanced spokesperson acknowledged the regrettable incident from over two years ago. They stressed the importance of strengthening cyber defenses and noted that the company has learned significantly from the experience. They reassured that cyber security remains a top priority and reaffirmed their commitment to supporting customers in navigating evolving technology needs and operational goals.