UK knowledge safety authorities have slapped NHS supplier Superior with an interim fantastic of greater than £6 million after discovering it didn’t correctly shield hundreds of individuals’s data that was later stolen in a ransomware assault.
The UK Info Commissioner’s Workplace (ICO) stated in an announcement that it had decided that the cybercriminals behind the August 2022 ransomware assault “initially gained entry to a number of Superior well being and care methods by buyer accounts with out multi-factor.” After that it issued a “fantastic” verification. “
The Superior cyber assault triggered a large disruption to NHS companies within the UK on the time, knocking out the NHS non-emergency 111 hotline and forcing hospitals and healthcare amenities to depend on pen and paper for weeks. Docs at affected NHS trusts reported being unable to entry affected person information.
Mandiant, an incident response firm that helped examine the hack, stated the assault used malware utilized by the LockBit ransomware gang; nevertheless, LockBit has by no means publicly claimed accountability for the cyberattack on its darkish net leak web site. This might point out that the hacked firm could have paid the ransom. Superior beforehand declined to say whether or not it had been paid.
By October 2022, Superior stated in a post-incident report that cybercriminals broke into Superior’s community “utilizing respectable third-party credentials,” which means the account didn’t undergo multi-factor authentication.
Now the ICO appears to verify this.
The ICO stated it had provisionally fined Superior £6.09m ($7.75m) after the regulator stated it had briefly “breached knowledge safety legal guidelines by failing to implement acceptable safety measures to guard the private data it was processing earlier than the assault”. USD) fantastic.
The watchdog additionally confirmed {that a} cyberattack resulted within the theft of information on practically 83,000 folks within the UK, together with cellphone numbers and medical information, in addition to “particulars of how you can acquire entry to the properties of 890 folks receiving dwelling care,” the ICO stated.
The regulator stated the fantastic was non permanent, which means penalties may change. ICO Commissioner John Edwards stated the regulator determined to make the case public partly to “keep away from comparable incidents sooner or later”.
“I urge all organizations, particularly these dealing with delicate well being knowledge, to urgently safe exterior connections by multi-factor authentication,” Edwards stated.
A spokesman for Superior didn’t reply to a request for remark previous to publication.
