Data processors have obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure. In August 2022, Advanced Computer Software Group Ltd ("Advanced"), which provides IT services to the National Health Service ("NHS") and other healthcare providers, faced a ransomware attack. This incident led to a disruption of healthcare services and exfiltrated the personal information of 82,946 people. Below we discuss the background to the incident which led to the provisional decision by the UK's Information Commissioner's Office ("ICO") to fine Advanced £6.09 million, and the steps data processors can take to ensure they meet their obligations.
Background
As their IT provider and data processor, Advanced handles personal information on behalf of the NHS and other healthcare providers on a national scale. In August 2022, hackers accessed Advanced's health and social care systems through a customer account that did not have multi-factor authentication.
The cyberattack resulted in critical services, such as NHS 111, facing disruption and healthcare staff being unable to access patient records. As a consequence of the attack, hackers were able to retrieve personal information belonging to 82,496 people, which included phone numbers and medical records. Further, the hackers exfiltrated details regarding how to gain entry to the homes of nearly 900 people receiving care at home.
ICO Provisional Decision
In August 2024, the ICO made an initial finding that Advanced failed to implement measures to protect the personal information of those 82,496 people and provisionally decided to fine Advanced £6.09 million.
These initial findings are provisional. The ICO has not officially concluded that a breach of data protection law has occurred. Before any final decision is made, the ICO will consider any representations from Advanced. This also means the fine amount is subject to change.
The ICO, however, chose to publicise this provisional decision to emphasize the importance of prioritizing information security. In particular, the ICO hopes to provide learnings to other organisations that can help them to secure their systems and avoid similar incidents in the future.
Key Learnings for Data Processors
Under the UK GDPR, data controllers decide what personal data is collected and why, and exercise ultimate control over the data. Data processors, on the other hand, process personal data in line with the relevant controller's instructions. However, processors are still responsible for ensuring that appropriate technical and organizational measures are implemented to protect personal data.
This provisional decision emphasizes that data processors must meet their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure.
Data processors should ensure that they take steps to assess and mitigate risks of cyberattacks, including the following steps:
- Regularly check for vulnerabilities within the network for both internal and external hardware and software.
- Implement appropriately strong access controls for systems that process personal data. For Internet facing services, such as remote access solutions, enable multi‑factor authentication or other alternatively strong access controls.
- Ensure there is a process of identifying, assessing, acquiring, testing, deploying and validating patches. Prioritise patches relating to Internet-facing services, as well as critical and high-risk patches, and keep systems up to date with the latest security patches.
- Regularly test, assess, and evaluate the effectiveness of the technical and organisational controls in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.