NHS processor fined £3m after ransomware data breach

The ICO said (58-page / 22.8MB PDF) Advanced Computer Software Group Ltd (Advanced) was responsible for a breach of the UK General Data Protection Regulation (GDPR).

It is the first time that the ICO has confirmed a monetary penalty against a data processor under the GDPR. Prior to the implementation of the GDPR, the ICO was only able to impose fines against the data controllers that engage processors over failings the processor was responsible for.

Information commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

The ICO said there were lessons other organisations could learn from the incident and they re-stated the importance of having multi-factor authentication (MFA) in place across a company’s whole estate, leaving no part vulnerable to attack.

The data breach stemmed from a ransomware attack in August 2022 which reportedly disrupted the operation of the NHS 111 service and prevented healthcare staff from accessing patient records. According to the ICO, hackers were able to access Advanced’s systems via a customer account. It said access to the account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people – including, in the case of 890 people who receive home care, details of how to gain entry to their property. 

Cyber risk expert Ellie Ludlam of Pinsent Masons, who has led the response to a large number of healthcare sector breaches, said: “The incident serves as a salutary reminder of the particular risks associated with healthcare breaches, where the nature of the data being processed can expose individuals to a genuine risk of physical harm. Understandably, there is an expectation that organisations operating in this sector will apply robust technical and organisational measures to protect the data they process on behalf of patients.”

Seemingly drawing a line in the sand, Edwards said: “People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.”

Last year, the ICO had signalled its intention to fine Advanced £6.09m in relation to the incident. However, after considering representations made by Advanced, the authority imposed a final fine of a little under £3.08m. It said the company’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted” were among the factors that weighed towards reducing the fine.

Commenting on the mitigating factors cited in the penalty notice, Ludlam said: “In its data protection fining guidance issued last year, the ICO stated that it would view engagement with law enforcement as a mitigating factor when weighing up what enforcement action to take. The penalty notice issued against Advanced goes beyond that and clarifies that the ICO has also taken into account the fact that Advanced: notified customers and controllers within 24 hours of discovery irrespective of whether they were affected; dedicated a team of 18 people to the restoration of infrastructure and engaged external experts as part of the forensic investigation and analysis of the data impacted; and undertook a comprehensive review of potentially impacted data, and notification to impacted controllers.”

“Given the potential costs and time involved in reviewing impacted data post breach, it is interesting to note that the ICO will consider data mining efforts a mitigating factor when considering enforcement action. It is also noteworthy that the size of team stood up to respond to an incident is taken into account as this information is not always proactively shared with the ICO, but I expect now will be by notifying companies,” she said.

Healthcare expert Louise Fullwood, also of Pinsent Masons, added: “After the Synnovis attack which brought down pathology services last June, NHS England’s chief information security officer notified all NHS providers to mandate two-factor authentication for all NHS systems – including supplier’s systems. This case is a reminder to NHS providers to do continuing due diligence of suppliers to ensure that they are meeting these requirements.”

According to Computer Weekly, an Advanced spokesperson said the company considers the breach “wholly regrettable” and that it had “learned a great deal” since the attack.