U.Ok. knowledge safety authorities have issued a provisional fantastic of greater than £6 million to NHS vendor Superior after discovering that the corporate didn’t correctly safe the data of 1000’s of individuals later stolen in a ransomware assault.
In an announcement, the U.Ok. Info Commissioner’s workplace (ICO) mentioned it issued the fantastic after figuring out that the cybercriminals behind the August 2022 ransomware assault “initially accessed a lot of Superior’s well being and care methods by way of a buyer account that didn’t have multi-factor authentication.”
The cyberattack on Superior led to widespread disruption to NHS providers throughout the UK on the time, inflicting outages on the NHS non-emergency 111 line and forcing hospitals and medical practices to resort to pen and paper for weeks. Physicians at affected NHS trusts reported that they couldn’t entry affected person data.
Mandiant, the incident response agency that helped to research the hack, mentioned malware utilized by the LockBit ransomware gang was used within the assault; although, LockBit by no means publicly claimed duty for the cyberattack on its darkish net leak website. That may be a sign {that a} hacked firm could have paid a ransom. Superior beforehand declined to say if it had paid one.
By October 2022, Superior mentioned in its post-incident report that the cybercriminals broke into Superior’s community “utilizing reliable third-party credentials,” implying that there was no multi-factor authentication on the account.
Now the ICO seems to be confirming that.
The ICO mentioned it’s provisionally issuing a fantastic of £6.09 million ($7.75 million) after the watchdog mentioned Superior provisionally “breached knowledge safety legislation in failing to implement acceptable safety measures previous to the assault to guard the private data it was processing.”
The watchdog additionally confirmed that the cyberattack led to the theft of knowledge of near 83,000 folks in the UK, together with telephone numbers and medical data, and particulars of “learn how to acquire entry to the houses of 890 individuals who have been receiving care at house,” the ICO mentioned.
The fantastic is provisional, the watchdog mentioned, that means the penalty could change. ICO Commissioner John Edwards mentioned the watchdog made the choice to go public on this case partially to “keep away from related incidents sooner or later.”
“I urge all organisations, particularly these dealing with delicate well being knowledge, to urgently safe exterior connections with multi-factor authentication,” mentioned Edwards.
Spokespeople for Superior didn’t reply to a request for remark previous to publication.
