ICO fines IT firm for data breach

An IT firm which provides services to the NHS has been fined £3m for failing to protect the data of nearly 80,000 patients following a cyberattack.

The ICO (Information Commissioner’s Office) today confirmed it was imposing a financial penalty of £3.07m on Advanced Computer Software Group Ltd, after its CareNotes patient-records system was compromised by a ransomware attack in 2022.

The incident, which affected a dozen trusts in England, left doctors and other healthcare staff unable to access patient medical records causing significant disruption to services such as NHS 111.

In announcing its decision, the ICO stated Advanced had broken data-protection law by failing to ensure ‘appropriate technical and organisational measures’ were in place to keep its ‘health and care systems fully secure’, prior to the August 2022 attack.

The ICO’s investigation into the incident found the inconsistent use of MFA (multifactor authentication) and system-vulnerability scanning by Advanced saw the personal information of 79,404 people compromised.

This data included details on gaining access to the properties of 890 people receiving care at home.   

With the £3m penalty the first of its kind to be handed to a data processor by the ICO, information commissioner John Edwards said the decision should be viewed as a stark reminder to all organisations about the need for robust safeguards in cybersecurity,

He said: ‘The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

‘While Advanced had installed MFA across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. 

‘People should never have to think twice about whether their medical records are in safe hands.

‘To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.’ 

Oxford consultant psychiatrist Andrew Molodynski’s trust was one of those affected by the 2022 ransomware attack.

He has previously spoken to The Doctor about how the incident led to immense confusion and chaos and left his trust’s administration department scrambling to create temporary records for staff to work from.

Commenting on the ICO's decision, Dr Molodynski said he hoped lessons would be learned as a result.

He said: ‘Doctors depend upon safe and reliable IT platforms and digital systems to perform their day-to-day work. When these systems are compromised it can have a dramatic impact on both staff and their patients.

‘I hope this decision by the ICO sends a clear message around the importance of cybersecurity in healthcare and serves to encourage firms to take their responsibilities to the NHS and its patients seriously.’