£6m fine for NHS data breach: Urgent GDPR warning for data processors

The Information Commissioner’s Office (ICO) issued a provisional decision to impose £6m fine on software provider Advanced Computer Software Group following a ransomware attack in 2022 that disrupted NHS and social care services.

This action by the ICO serves as a strong warning to businesses about the urgent need to protect personal data. If your company provides software, products, or services as a data processor, do not overlook your UK GDPR obligations—failure to comply can hold you directly accountable for data privacy breaches.

Our data privacy solicitors can help guide you if you are unsure of your responsibilities as a data processor.

What happened with Advanced Computer Software Group?

Advanced Computer Software Group, a UK-based company providing IT and software services to organisations including the NHS, is facing a staggering provisional £6.09m fine after a 2022 ransomware attack compromised sensitive medical records, patient phone numbers and entry access to the homes of several patients who were receiving care at home. The incident also disrupted critical NHS services such as NHS 111.

The ICO allegedly found that the ‘hackers initially accessed several Advanced’s health and care systems via a customer account that did not have multi-factor authentication.’

What can we learn from the ICO’s initial findings?

The ICO’s initial findings are a stark warning to businesses.

Businesses, including data processors, must remember the importance of implementing thorough cybersecurity measures to protect personal data.

Data processors, despite acting on their controller client’s instructions, still need to apply security measures, assess risks and be on top of the latest security threats which could compromise the personal information they process.

This provisional decision could indicate that the data protection regulator is going to take a tougher stance on holding processors accountable for their failures, so processors must prioritise compliance and mitigate their potential liabilities.

If your business acts as a data processor, remember the need to:

• Comply with the UK GDPR rules – you are also accountable and have direct obligations under the UK GDPR, the law doesn’t just apply to your controller customers.
• Implement strong security measures when processing data on behalf of controllers, including regularly checking for vulnerabilities, enabling multi-factor authentication on accounts, and keeping systems up to date with the latest security patches.
• Carry out frequent data security audits to check and assess your systems for vulnerabilities and address any potential weaknesses that could be exploited by hackers or cybercriminals.
• Train and re-train your staff to handle customer data with great care and security to avoid data breaches.
• Consider your data processing agreements with controller customers and what you can agree to cap your liability, especially as you could face fines from the ICO.

What are the key takeaways?

If you are a data processor, remember to take your UK GDPR compliance obligations seriously. Strong security measures are a key obligation, but there are a range of other compliance obligations you need to stay on top of. In a competitive market where data security is a top priority for customers, actions like this from the ICO could not only penalise you financially but also ruin trust in your business as a reputable supplier.

Our data protection team can guide you on your UK GDPR obligations as a data processor, or if you are a data controller.

You can find the ICO’s full story here.