UK health services call-handling vendor faces $7.7M fine over 2022 ransomware attack

The UK's data protection watchdog says it plans to fine a managed software provider to the NHS £6.09 million ($7.7 million) for failings that led to a 2022 ransomware attack.

Reading the press release, we've never seen the word "provisionally" appear so many times in such a short bit of copy, but the Information Commissioner's Office's (ICO) really sought to hammer home the fact that nothing is set in stone and the ultimate punishment will be decided after the vendor has had its say on the matter.

That vendor is Advanced Computer Software Group; you may remember it from El Reg stories published almost two years ago to the day. Advanced pulled its systems offline on August 4, 2022, in an incident that was eventually attributed to LockBit, back in its heydey which has thankfully now ended.

NHS non-emergency phone operators on the 111 line were forced to revert to pen-and-paper operations as disruptions continued for weeks. Some systems were still down in October of that year.

There are a number of things that really irked information commissioner John Edwards about this particular case. For one, the incident was allowed to take place, the ICO said, because a customer account without multi-factor authentication (MFA) was used to breach the vendor's systems.

We know specifically, though, that legitimate credentials were used to create a remote desktop session to Advanced's Staffplan Citrix server.

"During the initial logon session, the attacker moved laterally in Advanced's Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data," the October 2022 update said.

There is also the not-so-small matter of the volume of data stolen. Personal data belonging to 82,946 people was lifted, so say the ICO's provisional findings. 

Phone numbers were taken, which isn't great but also not unexpected in a data breach. Medical records were also stolen which, again, isn't very good at all but all the recent attacks on healthcare providers have made this somewhat the norm nowadays.

However, the LockBit affiliate responsible for this one also stole files that included details of how to gain access to the homes of 890 people receiving care at their address.

Advanced found no evidence of this being published online, but blueprints on how to gain access to a vulnerable person's home – that's exactly the kind of data that, in the wrongest of hands, could lead to some grisly outcomes.

"This incident shows just how important it is to prioritize information security," Edwards said today. "Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations. 

"Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident. 

"For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches. 

• Five months after takedown, LockBit is a shadow of its former self
• Major IT outage forces UK emergency call handlers to use 'pen and paper'
• Emergency services call-handling provider: Ransomware forced it to pull servers offline
• LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites

"I am choosing to publicize this provisional decision today as it is my duty to ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication."

The Register approached Advanced for a response but it didn't reply.

At the time of the attack, Advanced had 36 NHS clients using its various wares. Adastra, its clinical patient management system, which is still used by the healthcare services, was among the solutions affected and was used at the time by 85 percent of NHS 111 services. ®