The Information Commissioner’s Office has announced today that it has issued a fine under the UK GDPR to an NHS IT supplier, in relation to a significant data breach in 2022. Following a Notice of Intent issued last year for £6.09 million, Advanced Computer Software Group Ltd has now been fined £3,076,320. The ICO found that the company failed to adequately protect the personal data of 79,404 individuals in breach of Article 32 of the UK GDPR.
As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients. The breach in question occurred during a ransomware attack in August 2022. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The ICO investigation found that personal data belonging to 79,404 people was taken. This included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care.
The cyber-attack caused widespread disruption, with NHS 111 services impacted and some GPs resorting to pen and paper as electronic systems went offline. At the time, doctors warned that it could take months to clear the backlog of paperwork created by the incident.
The fine serves as a reminder that Data Processors, like Advanced, have a duty to implement robust technical and organisational measures to safeguard personal data. This includes regularly assessing risks, applying multi-factor authentication, and keeping systems updated with the latest security patches. Data Processors cannot shift the responsibility to Data Controllers; their GDPR security obligations are independent of those of the Data Controller.
Like previous fines, this one was substantially reduced from the amount announced in the Notice of Intent. In 2018, British Airways faced a Notice of Intent for a £183 million fine due to a cybersecurity breach, but the actual fine issued in 2020 was reduced to £20 million. Similarly, Marriott International Inc.’s fine dropped from £99 million to £18.4 million after a Notice of Intent in 2020. What is interesting in this case is that the fine follows a “voluntary settlement” where Advanced acknowledged the ICO decision to impose a reduced fine and agreed to pay it without appealing.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
