On August 7, 2024, the UK Information Commissioner’s Office (“ICO”) announced its provisional decision to fine Advanced Computer Software Group Ltd (“Advanced”) £6.09 million following an initial finding that the company, which acted as a data processor, had failed to implement sufficient measures to protect personal information.
Advanced, a provider of IT and software services to clients that include the UK National Health Service (“NHS”), suffered a ransomware attack in August 2022. According to the ICO, the attack may have led to the exfiltration of the personal data of 82,946 individuals, including special category data such as medical records, as well as information on how to gain entry to the homes of 890 individuals receiving at-home care. The ICO provisionally determined that the hackers had gained access to Advanced’s health and care systems via a customer account that did not have multi-factor authentication implemented.
In its announcement, the ICO emphasized that these are provisional findings and that at this stage, the conclusion should not be drawn that any breach of data protection law has taken place or that a financial penalty will be imposed, adding that it will consider representations made by Advanced before coming to a final decision.
The Commissioner stated: “I am choosing to publicize this provisional decision today as it is my duty to ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”