Since the breach on August 4, 2022, the Information Commissioner’s Office (ICO) has been investigating Advanced, which delivers crucial systems to the health service.
The cyberattack had far-reaching consequences, impacting the system used to dispatch ambulances, schedule after-hours visits, and issue emergency medications.
In a preliminary finding, the ICO claims that the software provider violated data protection laws by failing to secure personal information belonging to 82,946 individuals.
Their records were stolen in a ransomware assault by hackers who obtained access to Advanced’s computer systems via an account without multi-factor authentication (MFA).
Typically, MFA would prohibit cybercriminals from exploiting stolen credentials to gain access.
The data included personal information, phone numbers, medical records, and instructions on how to get access to the homes of 890 persons receiving care at home.
The outage impacted key services such as NHS 111 and prevented other healthcare personnel from accessing patient details.
No evidence suggests that any data was uploaded to the dark web, and those impacted by the compromise have been informed.
