Proposed penalty for Birmingham software provider after NHS ransomware disruption

The Information Commissioner’s Office (ICO) has provisionally resolved to impose a £6.09 million penalty on Advanced Computer Software Group Ltd (Advanced), headquartered in Birmingham. This decision follows preliminary findings suggesting that the company did not take adequate measures to protect the personal information of 82,946 individuals, including sensitive data.

Advanced, a provider of IT and software services on a national scale, processes personal information for various organisations, including the NHS and other healthcare entities.

This provisional decision stems from a ransomware incident in August 2022, during which hackers reportedly gained access to several of Advanced’s health and care systems through a customer account lacking multi-factor authentication.

It is believed that the personal information of 82,946 people was stolen during this attack. The cyberattack disrupted vital services, notably affecting NHS 111 and other healthcare workers who could not access patient records.

The stolen data included telephone numbers, medical records, and access details to the homes of 890 individuals receiving home care. Those affected have been informed, and Advanced has found no evidence of the data being published on the dark web.

The Commissioner’s findings remain provisional; no definitive conclusions about data protection law breaches or the imposition of a final penalty have been made yet. The ICO will consider any responses from Advanced before finalising their decision, with the potential penalty amount still subject to adjustment.

John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

Dr Ilia Kolochenko, CEO at ImmuniWeb and Adjunct Professor of Cybersecurity at Capital Technology University, commented: “The UK ICO’s provisional decision is probably motivated, among other things, by the disastrous impact and aftershock of the attack, which virtually paralyzed the British healthcare system in 2022. Under Article 83 of the UK GDPR, the turnover-based penalty threshold – for data security failures and other violations of Article 32 – is up 2% of annual turnover of the preceding financial year, while a fixed penalty of up to £8,700,000 may be imposed instead at the discretion of the regulator or court. The provisional fine seems to represent about 2.3% of Advanced annual turnover in 2021, being slightly above the turnover-based cap, however, considerably less than the fixed fine cap. Therefore, if regarded through the prism of damage suffered by innocent third parties, the ICO decision is pretty lenient.”

Image by Tumisu from Pixabay