NHS software provider “Advanced” faces a £6 million fine after an investigation into a 2022 ransomware attack found serious security failings.
The August 2022 incident, claimed by LockBit, affected multiple key NHS services, forcing many back onto pen and paper. It began when the attackers logged in using customer credentials then established an RDP session to the Citrix server of Staffplan (one of its most affected apps),
The Information Commissioner’s Office (ICO) said that it “provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication” set up; a significant failure of basic security hygiene.
Advanced had said in an October 2022 incident report seen by The Stack: “During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware” – which it confirmed in the same report to be LockBit 3.0.
Advanced has some 25,000 customers including major government clients and revenues of £330 million. Among the many software services it provides that were affected by the ransomware incident was Staffplan.
That’s used by over 79,000 care home workers to manage shifts, medication and more. A hazard log spreadsheet for the software seen by The Stack during the restoration process showed that the risks of server disruption include “medication doses missed”, “basic needs not met, such as nutrition and personal care”, “health needs not met, such as wound care and physical support” and “required number of carers not met," among others.
Restoration at the time was not swift. Sources close to the app told us that Staffplan was written in Delphi 5, a development tool for Windows released in 1999, and had not been “significantly” updated since it was written in 2009. It was understood in 2022 to have a range of complex dependencies and libraries that require legacy versions of Windows to function and Advanced only removed a dependency on the now discontinued Microsoft Silverlight application framework in early 2022.
Information Commissioner John Edwards said this week: “This incident shows just how important it is to prioritise information security.”
Saying the data of 82,946 people was also stolen in the attack he added: “Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations. Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
"For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
The 2022 Advanced ransomware incident crippled its Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan and eFinancials systems, with all others remaining operational. Adastra is a patient management system which deals with 40 million patient records, while Carenotes is used by 40,000 clinicians to access patient records. Across all its business areas Advanced has more than 25,000 customers, including 140 NHS trusts – the majority of which were unaffected by the attack.
MSPs have faced mounting attacks in recent years and regular warnings that they will continue to face heightened levels of attack, including a joint May 2022 advisory from US and UK authorities. A July 2021 attack on software provider Kaseya was among the most impactful. In that incident cybercriminals abused a SQL injection vulnerability in remote access software from the company to then hack 50+ MSPs that used its products; piggybacking on that access in turn to hit over 1,500 downstream customer organisations with ransomware.