An NHS software provider faces the threat of a £6.09m fine over a 2022 ransomware attack that disrupted NHS and social care services.
An investigation by the Information Commissioner’s Office (ICO) has accused Advanced Computer Software Group Ltd (Advanced) of failing to protect the personal information of 82,946 people from hackers.
Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor.
The provisional decision to issue a fine relates to a ransomware incident in August 2022, where the ICO has provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.
The ICO has provisionally found that personal information belonging to 82,946 people was exfiltrated following the attack.
The cyber attack was widely reported at the time of the incident, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.
The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. People impacted have been notified, and Advanced found no evidence that any data was published on the dark web.
The Commissioner will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.
John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.
“We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
Data processors act on the instructions of their clients, the data controllers, who have overall control over how and why personal information is used.
However, data processors, such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure.
This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
Lauren Wills-Dixon, solicitor and head of privacy at law firm Gordons, said: “The scale of this potential ICO enforcement is another reminder to any organisation, particularly those processing special category or ‘sensitive’ data on behalf of customers (such as health data) which is given special protection under data protection laws, that they must have robust security measures in place to protect their systems and data.
“The ICO’s initial finding shows that that Advanced Computer Software Group Ltd failed to implement such measures to protect personal information as the data processor on behalf of the NHS and other customer organisations.
“In the current climate, with cyber attacks on the increase, it’s increasingly important to take legal, regulatory and best practice measures to build and maintain cyber resilience. In fact, the UK Informational Commissioner said himself that he is publicising the provisional decision to help other organisations secure their systems and prevent future incidents.
“Such measures would typically include investing in appropriate technical and organisational measures, implementing robust IT infrastructure and monitoring/detection, developing effective policies, procedures and training, as well as creating, maintaining and testing a business continuity and disaster recovery plan.
“As we have seen in this example, failure to do so can have a significant impact on essential operations (in this case vital NHS procedures), reputation and potentially lead to significant financial penalties too.
“This is particularly interesting as the majority of breaches result in fines to the ‘controller’ and not the ‘processor’ – it shows that IT vendors entrusted to process personal data are not exempt from being fined directly by regulators.”