An NHS software program supplier has been fined £3m by the Data Commissioner’s Workplace (ICO) over safety failings that led to a ransomware assault on the NHS.
The Superior Laptop Software program Group was fined for a breach that put private info of 79,404 folks in danger, the UK’s knowledge safety watchdog mentioned.
The agency supplies IT and software program providers to organisations across the nation, together with the NHS and different well being suppliers, dealing with info in its function as a knowledge processor.
The breach took place in August 2022, when hackers gained entry to sufferers’ telephone numbers and medical data in addition to particulars of the way to acquire entry to the houses of 890 folks receiving care at house.
The unidentified hackers have been capable of acquire entry to the knowledge by utilizing a buyer’s account that didn’t have ample safety within the type of multi-factor authentication.
The regulator’s investigation concluded that Superior didn’t have acceptable safety measures in place previous to the incident.
The cyberattack led to the disruption of essential providers together with NHS 111, and left some healthcare workers unable to entry affected person data.
Software program used to facilitate affected person check-ins was additionally impacted.
Final yr, the regulator criticised Superior over the incident, which positioned “additional pressure” on a “sector already below strain”.
Whereas the corporate had put in multi-factor authentication throughout a lot of its methods, “the dearth of full protection” was criticised by Data Commissioner John Edwards.
“The safety measures of Superior’s subsidiary fell severely in need of what we’d count on from an organisation processing such a big quantity of delicate info,” Mr Edwards mentioned.
He added the wonderful ought to function a “stark reminder” to organisations to make sure they’ve “strong safety measures in place”.
“There isn’t a excuse for leaving any a part of your system susceptible,” Mr Edwards added.
Final yr, the ICO introduced it meant to impose a provisional £6m fine on Superior for the breach.
Nevertheless, the watchdog mentioned the sum had been halved due to the proactive engagement of Superior with police, cyber safety providers and the NHS following the assault.
