An NHS software program supplier has been fined £3m by the Info Commissioner’s Workplace (ICO) over safety failings that led to a ransomware assault on the NHS.
The Superior Pc Software program Group was fined for a breach that put private data of 79,404 folks in danger, the UK’s knowledge safety watchdog stated.
The agency offers IT and software program companies to organisations across the nation, together with the NHS and different well being suppliers, dealing with data in its function as a knowledge processor.
The breach took place in August 2022, when hackers gained entry to sufferers’ cellphone numbers and medical information in addition to particulars of how you can acquire entry to the properties of 890 folks receiving care at dwelling.
The unidentified hackers have been capable of acquire entry to the data by utilizing a buyer’s account that didn’t have enough safety within the type of multi-factor authentication.
The regulator’s investigation concluded that Superior didn’t have applicable safety measures in place previous to the incident.
The cyberattack led to the disruption of vital companies together with NHS 111, and left some healthcare employees unable to entry affected person information.
Software program used to facilitate affected person check-ins was additionally impacted.
Final yr, the regulator criticised Superior over the incident, which positioned “additional pressure” on a “sector already underneath stress”.
Whereas the corporate had put in multi-factor authentication throughout a lot of its techniques, “the shortage of full protection” was criticised by Info Commissioner John Edwards.
“The safety measures of Superior’s subsidiary fell severely wanting what we might count on from an organisation processing such a big quantity of delicate data,” Mr Edwards stated.
He added the fantastic ought to function a “stark reminder” to organisations to make sure they’ve “sturdy safety measures in place”.
“There isn’t any excuse for leaving any a part of your system weak,” Mr Edwards added.
Final yr, the ICO introduced it meant to impose a provisional £6m fine on Superior for the breach.
Nonetheless, the watchdog stated the sum had been halved due to the proactive engagement of Superior with police, cyber safety companies and the NHS following the assault.
