A provisional £6m fine has been imposed on an NHS software provider Advanced Computer Software Group following a 2022 data breach that affected more than 80,000 people.
Advanced Software Group
Founded in 2008, Advanced Computer Software Group, often referred to as “Advanced,” is a UK-based software and IT services company that provides a range of digital solutions primarily to the public sector, healthcare, and private sector organisations. As an IT and software services provider to organisations including the NHS and other healthcare providers, in the eyes of the law, it handles people’s personal information on behalf of these organisations as their ‘data processor’.
What Happened?
In 2022, hackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. The personal information belonging to 82,946 people was stolen following the attack. This information included phone numbers and the medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
Serious Failings
John Edwards, UK Information Commissioner, has highlighted how the ICO, which has investigated the incident, provisionally found “serious failings” in Advanced’s “approach to information security prior to this incident”. Mr Edwards noted how Advanced “failed to keep its healthcare systems secure” when it should have been taking steps to secure its systems, such as “regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
The Obligations of Data Processors
In his online statement, Mr Edwards noted that although data processors act on the instructions of their clients, the data controllers, data processors, such as Advanced, “still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure” and this includes “taking steps to assess and mitigate risks”.
Health Service Disruption Also Caused
In his online statement, Mr Edwards also noted that in addition to the theft of personal information, the hack caused disruption to some health services, i.e. disrupting their ability to deliver patient care. Mr Edwards said this meant that “a sector already under pressure was put under further strain due to this incident”.
Provisional Fine
The ICO has stated that on the grounds that Advanced failed to implement measures to protect the personal (and some sensitive) information of the 80,000+ people, it has “provisionally decided” to impose a £6.09m fine on Advanced.
However, despite choosing to issue the statement about it, the ICO’s findings and fine are “provisional”. This means that conclusions shouldn’t be drawn at this stage about whether there’s actually been any breach of data protection law or that a financial penalty will ultimately be imposed.
The Commissioner says that any representations from Advanced will now be carefully considered before any final decision is made “with the fine amount also subject to change.”
Illustrates The Importance of Prioritising Information Security
UK Information Commissioner, said in his statement about the provisional fine: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.”
What Does This Mean For Your Business?
The provisional £6 million fine imposed on Advanced Computer Software Group serves as a stark reminder of the critical importance of businesses and organisations prioritising information security. This incident highlights how even well-established companies with significant responsibilities (such as handling sensitive healthcare data) are not immune to severe consequences when security measures are insufficient. The breach at Advanced not only compromised the personal and medical information of over 80,000 individuals but also disrupted essential health services, demonstrating the far-reaching impact of inadequate data protection.
For your business, this underscores the need to rigorously assess and enhance your cybersecurity practices, particularly if you are a data processor or handle sensitive information on behalf of clients. The ICO’s findings point to specific failings, such as the lack of multi-factor authentication and the failure to regularly update systems, which could have prevented the breach. Implementing robust security protocols, including regular vulnerability assessments, system updates, and comprehensive risk mitigation strategies, is not just a legal obligation but a business imperative.
Also, the incident shows how the failure to prioritise information security can lead to significant financial and reputational damage. While the ICO’s decision and fine are currently provisional, the potential for such penalties should serve as a wake-up call for businesses and organisations to take proactive steps in safeguarding personal data. As the Information Commissioner noted, this case demonstrates the distress caused to individuals who trust organisations with their sensitive information, making it clear that maintaining this trust should be a top priority.