A provisional £6m fine has been imposed on an NHS software provider Advanced Computer Software Group following a 2022 data breach that affected more than 80,000 people.
Advanced Software Group
Founded in 2008, Advanced Computer Software Group, often referred to as “Advanced,” is a UK-based software and IT services company that provides a range of digital solutions primarily to the public sector, healthcare, and private sector organisations. As an IT and software services provider to organisations including the NHS and other healthcare providers, in the eyes of the law, it handles people’s personal information on behalf of these organisations as their ‘data processor’.
What Happened?
In 2022, hackers accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. The personal information belonging to 82,946 people was stolen following the attack. This information included phone numbers and the medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
Serious Failings
John Edwards, UK Information Commissioner, has highlighted how the ICO, which has investigated the incident, provisionally found “serious failings” in Advanced’s “approach to information security prior to this incident”. Mr Edwards noted how Advanced “failed to keep its healthcare systems secure” when it should have been taking steps to secure its systems, such as “regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
The Obligations of Data Processors
In his online statement, Mr Edwards noted that although data processors act on the instructions of their clients, the data controllers, data processors, such as Advanced, “still have their own obligations to implement appropriate technical and organisational measures to ensure personal information is kept secure” and this includes “taking steps to assess and mitigate risks”.
Health Service Disruption Also Caused
In his online statement, Mr Edwards also noted that in addition to the theft of personal information, the hack caused disruption to some health services, i.e. disrupting their ability to deliver patient care. Mr Edwards said this meant that “a sector already under pressure was put under further strain due to this incident”.
Provisional Fine
The ICO has stated that on the grounds that Advanced failed to implement measures to protect the personal (and some sensitive) information of the 80,000+ people, it has “provisionally decided” to impose a £6.09m fine on Advanced.
However, despite choosing to issue the statement about it, the ICO’s findings and fine are “provisional”. This means that conclusions shouldn’t be drawn at this stage about whether there’s actually been any breach of data protection law or that a financial penalty will ultimately be imposed.
The Commissioner says that any representations from Advanced will now be carefully considered before any final decision is made “with the fine amount also subject to change.”
Illustrates The Importance of Prioritising Information Security
UK Information Commissioner, said in his statement about the provisional fine: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.”
What Does This Mean For Your Business?
The provisional £6 million fine imposed on Advanced Computer Software Group serves as a stark reminder of the critical importance of businesses and organisations prioritising information security. This incident highlights how even well-established companies with significant responsibilities (such as handling sensitive healthcare data) are not immune to severe consequences when security measures are insufficient. The breach at Advanced not only compromised the personal and medical information of over 80,000 individuals but also disrupted essential health services, demonstrating the far-reaching impact of inadequate data protection.
For your business, this underscores the need to rigorously assess and enhance your cybersecurity practices, particularly if you are a data processor or handle sensitive information on behalf of clients. The ICO’s findings point to specific failings, such as the lack of multi-factor authentication and the failure to regularly update systems, which could have prevented the breach. Implementing robust security protocols, including regular vulnerability assessments, system updates, and comprehensive risk mitigation strategies, is not just a legal obligation but a business imperative.
Also, the incident shows how the failure to prioritise information security can lead to significant financial and reputational damage. While the ICO’s decision and fine are currently provisional, the potential for such penalties should serve as a wake-up call for businesses and organisations to take proactive steps in safeguarding personal data. As the Information Commissioner noted, this case demonstrates the distress caused to individuals who trust organisations with their sensitive information, making it clear that maintaining this trust should be a top priority.
About us and this blog
We are a IT solutions and support company. In our BLOG you can find more information about services and solutions we provide and learn how they can benefit you and your business.
We offer professional IT support for small and medium size businesses, as well as support home based businesses.
To check how we can help improve your security and productivity, request your FREE IT health check today!
Categories
Archives
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
More from our blog
See all postsTags
Categories
- Brand development (4)
- Business advice (19)
- education (14)
- News (961)
- Uncategorized (14)