The UK Information Commissioner’s Office (ICO) has provisionally decided to impose a penalty of £6.09m on Advanced Computer Software Group over a data breach that affected thousands of people. The decision comes after an initial finding of the authority that the British software company failed to implement adequate measures to protect the personal data of 82,946 individuals, including sensitive information.
Advanced Computer Software Group offers IT and software services to national organisations, including the National Health Service (NHS) and other healthcare providers. The company manages the public’s personal information on behalf of these organisations. The proposed fine stems from a ransomware incident in August 2022, in which hackers infiltrated several of Advanced Computer Software Group’s health and care systems through a customer account that lacked multi-factor authentication.
ICO delivers stinging indictment of company failings
This attack, which was widely reported at the time, disrupted critical services, including NHS 111, and left healthcare staff unable to access patient records. The incident resulted in the extraction of personal data, including phone numbers and medical records, along with details on how to enter the homes of 890 individuals receiving home care. Affected individuals were notified, and Advanced Computer Software Group found no evidence that the data was published on the dark web.
ICO’s findings are provisional, and no final conclusion has been reached regarding a breach of data protection law or the imposition of a financial penalty. The regulator expects to thoroughly consider any representations made by the British software company before making a final decision, and the amount of the fine is subject to change.
UK Information Commissioner John Edwards said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure.”
NHS targeted by hackers earlier this year
ICO said that data processors like Advanced Computer Software Group have their own obligations to implement appropriate technical and organisational measures to ensure data security.
This includes regularly assessing and mitigating risks, such as checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches.
Recently, two hospital trusts in London, the King’s College Hospital NHS Foundation Trust and Guy’s and the St Thomas’ NHS Foundation Trust, experienced a major IT incident, which is considered the second most severe NHS cyberattack of the year. The incident disrupted several primary services, including blood transfusions, and led to the cancellation or reassignment of various operations.