The Information Commissioner’s Office (ICO), the UK’s data protection watchdog , has announced a provisional decision to impose a fine of £6.09M on Advanced Computer Software Group Ltd (Advanced) for its failure to protect the personal information of nearly 83,000  people when it was hit by ransomware attack in 2022.

Advanced, an IT service and hosting provider contracted by the United Kingdom’s National Health Service (NHS), was  the subject of a cyberattack which impacted hundreds of public and private entities, including NHS 111, and various healthcare products such as Adastra, Caresys, Odyssey, Carenotes, Crosscare, Staffplan, and eFinancials.

As a result of the breach, the personal information of 82,946  people was exposed, including instructions on how to access homes for 890 people receiving care at home.

John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

If Advanced fails to produce convincing arguments and the fine remains in place it is estimated to equate to  £71 per exposed person.

The ICO said its findings were provisional and no conclusion should yet be drawn on whether there had been a breach of data protection law.

The regulator said it would consider any representations from Advanced before making any final decision on the issue.

W Denis offers companies expert support and risk management solutions to protect supply chains and business operations. Cyber exposures are evolving and it is important that businesses review their insurances, for suitability, using a specialist broker. To discuss this further with a broker at W Denis, please make arrangements with Daniel Moss at [email protected] or on 0044 (0)113 2439812 or contact Mark Dutton at [email protected] or on 0044 (0) 7831 366 469.

Specialist contact

Mark Dutton

Executive Director / Group Head of Broking & Business Development

T. +44 (0) 7831 366 469

E. [email protected]

Arrange a call back