ICO issues provisional £6m fine against healthcare software supplier following 2022 ransomware attack, Lucy Pegler, Abbie McGregor

Last week, the Information Commissioner's Office (“ICO”) announced its provisional decision to fine Advanced Computer Software Group Ltd ("Advanced") £6.09m. This followed an initial finding that Advanced failed to implement appropriate cyber security measures to protect the personal data of over 82,000 people, which included sensitive personal information.

Background

Advanced acts as an IT and software service provider to organisations across the UK, including the NHS and other health and social care providers, handling a significant volume of sensitive personal data as a data processor on behalf of these organisations. In August 2022, Advanced suffered a ransomware attack which took offline seven of Advanced's health systems, including software used for patient check-ins, medical notes and the NHS 111 service which was widely reported at the time.

ICO's initial findings

The ICO provisionally found that hackers had accessed a number of Advanced's healthcare systems via a customer account that did not have multi-factor authentication, and as a result personal information belonging to 82,946 people had been exfiltrated by the hackers.

The ICO has confirmed that data taken included phone numbers, medical records as well as details of how to access 890 people's homes who were receiving care at home. According to the ICO, individuals affected were notified and Advanced confirmed that there was no evidence that data was published on the dark web.

What this means for organisations handling sensitive health data

Whilst the ICO's decision is provisional and a final decision has not yet been made, it is notable that the organisation facing a fine of such magnitude is a data processor and this would represent the first fine issued by the ICO against a data processor under the UK GDPR. Although data controllers have ultimate control over how and why personal data is processed, data processors also have data protection obligations.

This serves as a stark reminder for service providers (particularly in the healthcare sector) of their data protection responsibilities. In equal measure, it acts a warning to data controllers, such as healthcare providers, to carry out adequate due diligence on software providers acting as data processors on their behalf.

The ICO's decision could be appealed by Advanced. In the meantime, the message is clear from UK Information Commissioner John Edwards that all organisations, especially those handling sensitive health data, are expected "to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches."

Should you wish to discuss any of the issues raised in this article, please contact Amanda Leiu, Lucy Pegler or a member of the Data Protection Team.

This article was written by Emily Fox.