The ICO has provisionally decided to fine Advanced Computer Software Group Ltd £6.09m, following an initial finding that Advanced failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.
Advanced provides IT and software services to organisations at national level, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor.
The provisional decision to issue a fine relates to a ransomware incident in August 2022. The ICO has provisionally found that hackers initially accessed some of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.
The ICO says that personal information relating to 82,946 people was exfiltrated following the attack. The cyber-attack was widely reported at the time of the incident, with reports of disruption to critical services such as NHS 111, and with other healthcare staff unable to access patient records.
The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home. The people affected by the hack were notified, and Advanced found no evidence that any data was published on the dark web.
The ICO is at pains to highlight that its findings are provisional. It says that no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. The Commissioner will carefully consider any representations Advanced make before making a final decision, with the level of fine also subject to change.
The ICO has issued a reminder that data processors act on the instructions of their clients, the data controllers, who have overall control over how and why personal information is used. However, data processors, such as Advanced, still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure. This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches. It has highlighted its guidance to support organisations with protecting their systems from ransomware attacks, as well as guidance about the responsibilities and liabilities of both data processors and controllers.
