Advanced faces fine over LockBit attack that crippled NHS 111

Software supplier Advanced Computer Software Group faces a potential fine of £6.09m for an alleged failure to implement appropriate cyber security measures to protect the sensitive personal data of 82,946 people, which was stolen by the LockBit ransomware gang following an attack on its systems in August 2022.

The cyber attack on Advanced caused extensive disruption to NHS trusts and other social care bodies that used its Caresys care home management, Staffplan care rostering, and Adastra clinical patient management services. The biggest immediate impact seen was to users of the Adastra service underpinning the NHS’s 111 advice service.

LockBit – which was taken down by the UK’s National Crime Agency (NCA) earlier in 2024 – was later found to have accessed Advanced’s network using legitimate credentials on a third-party account which did not have multifactor authentication (MFA) enabled.

This account was used to establish a remote desktop protocol (RDP) session on a Staffplan Citrix server, from where they were able to move laterally through Advanced’s environment to elevate their privileges, exfiltrate sensitive data including patient medical records and phone numbers, and execute their ransomware locker.

“This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” said information commissioner John Edwards.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident. 

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident,” Edwards continued.

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

Edwards stressed that the ICO’s findings are, at this stage, provisional, and no conclusion should be drawn as to whether or not there has been a breach of data protection law, or even that a fine will be imposed. As part of the investigation process, Advanced has the right to make considered representations before a final decision is taken. If the organisation is eventually fined, the amount may well change.

Edwards said he was choosing to publicise the provisional ICO decision as he had a duty to ensure other organisations have appropriate information to enable them to secure their systems and avoid similar incidents in the future. He urged all organisations, especially those handling sensitive health data, to urgently secure external connections and impose MFA policies across the board.

The ICO pointed out that although data processors such as Advanced act on the instructions of their clients, the data controllers – in this case the NHS – which have overall control over how the data is used, processors still have a legal obligation to implement appropriate security measures to keep it safe. This includes taking steps to assess and mitigate risk, conducting vulnerability scanning on their IT estate, implementing MFA, and keeping systems updated.

A spokesperson for Advanced, which now trades as OneAdvanced, told Computer Weekly the organisation had notified the ICO in August 2022 that it had been the target of a ransomware attack, and had cooperated fully with its investigation over the past two years. They acknowledged the regulator's Notification of Intent (NoI) setting out its provisional findings and inviting it to make representations following this, which it intends to do.

“Upon detecting suspicious cyber activity in August 2022, we promptly isolated certain systems leading to a temporary loss of service for some customers. Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time. These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total,” they said.

“We supported customers throughout the incident and can confirm that no data was ever made available publicly. Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse. There was no impact to any of Advanced’s other customer-serving systems.”

“We apologise to our customers. It is wholly regrettable that threat actors disrupted our services in this incident. We value our customers in the healthcare sector and take our responsibility to them and their patients and communities very seriously. Cyber security continues to be a primary investment throughout our business, we continue to adapt and evolve our response to the ever-changing cyber security threats and challenges.

The spokesperson added: “Since the incident in August 2022, we have continued to transform our business and are a more secure and resilient company than we were two years ago.”

According to Advanced's most recent accounts, the organisation spent £18.3m on remediation measures in the wake of the attack, and a further £3m in the 2023-24 financial year.