Provisional £6m Fine Imposed on Software Provider Following NHS Ransomware Attack

Advanced Computer Software Group Ltd (Advanced) is facing a provisional fine of £6.09 million following a 2022 ransomware attack that disrupted NHS and social care services.

The Information Commissioner’s Office (ICO) has preliminarily determined that the company failed to implement adequate measures to protect the personal information of 82,946 individuals, including sensitive data.

Advanced, a key IT and software services provider to national organizations like the NHS, serves as a data processor, handling personal information on behalf of these entities. The ransomware incident, which occurred in August 2022, involved hackers accessing several of Advanced’s health and care systems through a customer account lacking multi-factor authentication.

The attack resulted in the exfiltration of personal information, including phone numbers, medical records, and entry details for 890 individuals receiving home care. The breach caused significant disruption to critical services, notably NHS 111, with healthcare staff unable to access essential patient records. Although Advanced reported no evidence of the stolen data being published on the dark web, the incident had a profound impact on affected individuals.

A “Pretty Lenient” Decision

Dr Ilia Kolochenko, CEO of ImmuniWeb and Adjunct Professor of Cybersecurity at Capital Technology University, said the UK ICO’s provisional decision is likely motivated, among other things, by the attack’s disastrous impact and aftermath, which practically paralyzed the British healthcare system in 2022.

“Under Article 83 of the UK GDPR, the turnover-based penalty threshold—for data security failures and other violations of Article 32—is 2% of the preceding financial year’s annual turnover, while a fixed penalty of up to £8,700,000 may be imposed instead at the discretion of the regulator or court,” Kolochenko said.

The provisional fine seems to represent about 2.3% of advanced annual turnover in 2021, being slightly above the turnover-based cap but considerably less than the fixed fine cap. “Therefore, if regarded through the prism of damage suffered by innocent third parties, the ICO decision is pretty lenient,” Kolochenko added.

Provisional Findings and Next Steps

The ICO’s findings are currently provisional. No final conclusion has been drawn regarding any breach of data protection law or the imposition of a financial penalty. The Commissioner will review any representations made by Advanced before issuing a final decision, and the fine amount may be subject to change.

John Edwards, UK Information Commissioner, emphasized the importance of information security, especially for organizations handling sensitive health data.

“This incident shows just how important it is to prioritize information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations,” Edwards stated. “Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.”

Edwards highlighted the provisional findings of serious failings in Advanced’s approach to information security despite measures on its corporate systems. He stressed the need for organizations to take fundamental steps to secure their systems, including regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems updated with the latest security patches.

Preventing Further Incidents

The Commissioner’s decision to publicize this provisional decision aims to provide other organizations with critical information to secure their systems and prevent similar incidents. Edwards urged all organizations, particularly those handling sensitive health data, to secure external connections with multi-factor authentication promptly.

Data processors, such as Advanced, must implement appropriate technical and organizational measures to ensure personal information is secure, even as they act on their clients’ instructions. This includes regular vulnerability assessments, multi-factor authentication, and timely security updates.