Security News > 2024 > August > UK health services call-handling vendor faces $7.7M fine over 2022 ransomware attack

The UK's data protection watchdog says it plans to fine a managed software provider to the NHS £6.09 million for failings that led to a 2022 ransomware attack.

Advanced pulled its systems offline on August 4, 2022, in an incident that was eventually attributed to LockBit, back in its heydey which has thankfully now ended.

For one, the incident was allowed to take place, the ICO said, because a customer account without multi-factor authentication was used to breach the vendor's systems.

"During the initial logon session, the attacker moved laterally in Advanced's Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data," the October 2022 update said.

"For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches."

The Register approached Advanced for a response but it didn't reply.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/07/ico_plans_to_fine_nhs/