.png)
.png)
The U.K. Information Commissioner’s Office (ICO) has proposed a £6.1 million (U.S. $7.8 million) fine against Advanced Computer Software Group, an IT contractor for the National Health Service (NHS), following allegations that the company failed to secure the personal data of 83,000 individuals during a cyberattack. The ICO announced on Wednesday that it provisionally penalized Advanced after the company allegedly neglected to implement basic cybersecurity controls, a lapse that allowed hackers to gain access to sensitive data.
If finalized, this enforcement action would mark the ICO’s first financial penalty against a data processor under the U.K. General Data Protection Regulation (GDPR). Advanced provides IT and software services to the NHS and other healthcare providers. In August 2022, the company suffered a ransomware attack that compromised some of its health and care systems via a customer account that lacked multi-factor authentication (MFA).
The cyberattack exposed phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving care, leading to significant disruption of critical services and preventing healthcare staff from accessing patient records. Although Advanced notified affected individuals and stated that there was no evidence of data being published on the dark web, the incident raised serious concerns about the company's cybersecurity practices.
In a rare move, U.K. Information Commissioner John Edwards decided to publicize the proposed enforcement action to "ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future." Edwards emphasized that until a final decision is made within the next six months, "no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed."
The ICO’s provisional decision underscores the responsibility of third-party IT providers to maintain robust cybersecurity measures to protect the personal data of their clients. The ICO highlighted the importance of assessing and mitigating risks, including the regular checking for vulnerabilities, implementing MFA, and keeping systems updated with the latest security patches.
Becky White, a privacy solicitor at Harper James, commented on the case, stating that the incident demonstrates the critical need for organizations to implement strong security practices, particularly when handling sensitive information such as healthcare data. "Breaches involving medical information or vulnerable categories of individuals are potentially more serious in nature due to the heightened risk of harm and the significant ethical implications where individuals have no option but to put their trust in healthcare organizations and are given no choice or control over how their information is handled," she said.
Lisa Sweetman, a partner in the commercial and data protection teams at law firm Knights, added that the ICO's action serves as "a stark reminder to IT providers acting as processors that they carry their own responsibilities for information security under the U.K. GDPR, separately to that of their controller clients." Sweetman noted that the severity of this incident likely differentiates it from "near-miss" offenses by other processors in the past. "Complacency or ignorance will be no defense to any infringement in this regard and IT providers must pay heed to the regulator’s warnings," she warned.
James Castro-Edwards, counsel at Arnold & Porter, pointed out that the proposed fine reflects the harm caused to the affected data subjects and is intended as a deterrent to other organizations that handle sensitive health data. He explained that while the U.K. GDPR imposes obligations on both controllers and processors, the obligations for processors are primarily focused on maintaining appropriate security measures. "Advance’s apparent failure to maintain appropriate information security measures constitutes a serious breach of the U.K. GDPR," he said.
Castro-Edwards also cautioned IT providers that if they fail to maintain proper security measures, they risk enforcement action from the data protection authority, as well as potential damages for breach of contract with their customers. This risk is heightened, he noted, when the data involved includes special categories such as health information.
Ilia Kolochenko, cybersecurity practice lead at Platt Law, remarked that the proposed fine, while significant, could be viewed as lenient and may still be reduced. Kolochenko pointed out that in previous cases involving British Airways and Marriott Hotels, the ICO significantly reduced the GDPR fines initially proposed. He noted that under Article 83 of the U.K. GDPR, the penalty threshold for data security failures is 2 percent of annual turnover, although a fixed penalty of up to £8.7 million (U.S. $11.2 million) may be imposed instead. "The provisional fine seems to represent about 2.3 percent of Advanced’s annual turnover in 2021, which makes it slightly above the turnover-based cap though considerably less than the fixed fine cap. Therefore, if regarded through the prism of damage suffered by innocent third-parties, the ICO decision is pretty lenient," Kolochenko concluded.
By fLEXI tEAM
Comments