Advanced Computer Software Group, an NHS software company, looks set to receive a £6 million fine after a data breach in its system last year exposed sensitive information regarding over 80,000 people. The breach carried out disruptions of health services inside County Durham and Darlington Trust and a critical review of their data protection practices.

The Issue:

The Information Commissioner’s Office is proposing a record fine of £6 million for Advanced Computer Software Group, an NHS software provider, after a serious data breach in 2022 that affected more than 80,000 people’s records, laying bare personal information like medical records and information about whether the homes of 890 of them were accessible.

The ICO has stated that the penalty has yet to be imposed. They need to wait for the response of Advanced Computer Software Group before the fine can be fully enforced. Along with their findings, they have stated that hackers were able to obtain the personal information of 82,946 individuals. This was no minor breach as it violated more than just privacy matters; it also interfered with the the provision of health services.

“The breach brought unimaginable problems for the NHS,” explained Information Commissioner John Edwards. “Not only was personal information compromised but also, we have seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care.” He added that the breach had added extra stress to an already stretched health sector.

Impact on Health Services:

The hack came at a great cost to NHS. Seven of Advanced’s health systems were shut off. Involved in the shut-off were accounts for patient check-in, medical note-writing, and the NHS 111 service. This gave rise to a significant amount of medical paperwork that piled up, which doctors and healthcare workers had to contend with. Lapses meant that some GP services had to rely on pen and paper to write notes because their electronic systems were knocked out.

The disruption was immense enough for it to take several months to catch up on the paperwork that was brought about by the cyber-attack. The incident disrupted several health care providers, who sought temporary means to try and keep patient care within the means it could manage.

How the Hack Occurred

The hackers accessed the NHS data through an inadequately secure customer account. The ICO believes that Advanced should have had higher standards of protection for their customers.

According to Mr. Edwards, this was aimed at securing the systems against a repeat of the same incidents in the future. “I am choosing to publicize this provisional decision today as it is my duty to ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future,” he said. He advised all organizations, especially those that handle sensitive health data, to enhance security operations within them, including multi-factor authentication.

Expert Opinions:

Commenting after this ruling was Lauren Wills-Dixon, a solicitor who is the head of privacy with Gordons law firm. She said that the size of this potential fine acts as a deterrent to any business organization handling sensitive data. “It really is a stark reminder of the scale of the potential for ICO enforcement against any organisation, but most especially those processing special category or ‘sensitive’ data on behalf of customers, where in this instance, health data is given special protection under data protection law,” she said.

Wills-Dixon called on organisations to adopt very robust security measures, including:

Technical and Organizational Measures: Provision of robust IT infrastructure and monitoring systems.
Effective Policies and Procedures Relating to Security: Development and maintenance of suitable policies and procedures relating to security.
Training : Periodic training should be provided to staff regarding protection and security of data
Business Continuity Plans: Business Continuity as well as Disaster Recovery plans should be developed, maintained and examined

The proposal to impose a £6 million fine against Advanced Computer Software Group reveals that an organization can have to face dire penalties in case of a failure to protect critical information. Not only did this violate the privacy of thousands of people, it also caused severe disturbances in the services of the NHS. While waiting for its response, the ICO is finalizing the values of the fines, and other organizations that deal with sensitive information are expected to increase their own security. This incident represents an important lesson in data protection for all sectors, especially handling information that is personal and related to health.

It is the hope that publication of this case will actually get the attention of all organizations to employ stricter measures in protecting their systems as a means of reducing breaches in subsequent incidents.