Provisional £6m Fine Imposed on Software Provider Following NHS Ransomware Attack

By Kirsten Doyle for Information Security Buzz
Thursday, August 8, 2024

• 574
• More

The attack resulted in the exfiltration of personal information, including phone numbers, medical records, and entry details for 890 individuals receiving home care. The breach caused significant disruption to critical services, notably NHS 111, with healthcare staff unable to access essential patient records. Although Advanced reported no evidence of the stolen data being published on the dark web, the incident had a profound impact on affected individuals.

A “Pretty Lenient” Decision

Dr Ilia Kolochenko, CEO of ImmuniWeb and Adjunct Professor of Cybersecurity at Capital Technology University, said the UK ICO’s provisional decision is likely motivated, among other things, by the attack’s disastrous impact and aftermath, which practically paralyzed the British healthcare system in 2022.

“Under Article 83 of the UK GDPR, the turnover-based penalty threshold—for data security failures and other violations of Article 32—is 2% of the preceding financial year’s annual turnover, while a fixed penalty of up to £8,700,000 may be imposed instead at the discretion of the regulator or court,” Kolochenko said.

The provisional fine seems to represent about 2.3% of advanced annual turnover in 2021, being slightly above the turnover-based cap but considerably less than the fixed fine cap. “Therefore, if regarded through the prism of damage suffered by innocent third parties, the ICO decision is pretty lenient,” Kolochenko added. Read Full Article