ICO fines data processor £3.07m over NHS data breach

The UK’s Information Commissioner’s Office (ICO) has issued a substantial fine totalling £3,076,320 to Advanced Computer Software Group Ltd (Advanced), its health and care subsidiary Advanced Health and Care Ltd (AHC), and parent company Aston Midco Ltd, following a ransomware attack in August 2022 that severely disrupted NHS and social care services.

While this case serves as a stark reminder of the serious consequences of poor data security, it comes against a more encouraging backdrop: the UK Government’s Cyber Security Breaches Survey 2025 reports a decline in the number of cyber attacks affecting small businesses. This suggests that awareness and resilience among SMES are improving. However, the significant fine against AHC highlights that even in a gradually strengthening cyber security environment, organisations, particularly data processors, cannot afford to become complacent.

This penalty sets an important precedent: data processors, not just controllers, can face enforcement action and financial liability. If your business provides software, products, or services as a data processor, it is crucial not to overlook your obligations under the UK GDPR. Non-compliance can result in serious consequences.

Our data protection solicitors can help guide you if you are unsure of your responsibilities as a data processor.

What was the fine for?

Advanced is a UK-based provider of IT and software services to organisations, including the National Health Service (NHS). AHC acts as a data processor for customers and has access to a wide range of data, including special category personal data.

Following a ransomware attack in August 2022, the ICO identified significant security failings which led to the exposure of personal data belonging to 79,404 individuals. This included sensitive data and information about how to access the homes of 890 vulnerable people receiving care.

Hackers gained entry via a customer account that lacked multi-factor authentication. The investigation found that AHC had failed to implement basic cyber security measures. The attack caused significant disruption to NHS 111 and other key services, halting some NHS operations altogether due to the severity of the incident.

The ICO imposed the fine due to AHC’s failure to implement appropriate technical and organisational measures to safeguard personal data – a core obligation under the UK GDPR for data processors.

The initial proposed fine of £6.09 million was reduced to £3.07 million after a voluntary settlement with the regulator. Nonetheless, this remains a substantial figure and a clear warning that data processors can be held directly accountable for their failings.

What can data processors learn from this?

This case highlights the critical need for businesses, including data processors, to implement comprehensive cyber security controls when handling personal data.

Although processors act on behalf of controller clients, they remain independently responsible for implementing security measures, assessing risks, and staying vigilant to evolving cyber threats that could compromise the data they process.

This is the ICO’s first fine issued to a data processor under the UK GDPR, establishing a clear precedent for direct enforcement.

If your business acts as a data processor, you should:

• Comply fully with the UK GDPR, especially regarding data security.
• Implement strong technical and organisational measures, such as enabling multi-factor authentication, regularly checking for vulnerabilities, and keeping systems up to date with the latest security patches.
• Conduct regular data security audits to assess your systems for weaknesses that could be exploited.
• Train staff thoroughly (and regularly) on data handling and security protocols.
• Maintain and test incident response plans to ensure you are prepared for potential breaches.
• Apply additional safeguards when processing special category data.
• Establish robust data processing agreements with your controller clients and strive to limit liability wherever possible.

In an increasingly competitive market where data security is paramount, enforcement actions against firms like Advanced Computer Software from the ICO can have a significant financial and reputational impact. This case illustrates that even fundamental security failings can be costly mistakes.

Our data protection solicitors are here to support your business in meeting its UK GDPR obligations as a data processor and reducing your risk of enforcement action.