NHS processor faces £6m ICO fine for data breach after ransomware attack

The UK Information Commissioner (“ICO”) has published its intention to fine a data processor £6m. This would be a first against a processor.

This situation has some subtle distinctions. First, the controller is a public body: the NHS. The potential fine relates to a ransomware attack against Advanced Computer Software Group (“ACS”), its processor. The ICO has fined public, or state, bodies before. However, it is examining errors made by the private company involved.

Secondly, it is only a provisional decision at this stage. The ICO has invited ACS to explain why it shouldn’t receive the fine. Finally, it seems to have been an easily avoidable security error.

The facts

The ICO identified that an ACS customer account didn’t have multi-factor authentication, which allowed the attack to happen. As a result, personal data belonging to 83,000 people was extracted, and caused extensive disruption to NHS 111, the online and telephone service which helps assess people with urgent medical needs.

Along with this, other healthcare staff were unable to access patient records. The ICO further identified that the data taken included phone numbers and medical records. Perhaps worst of all, the data included details of how to enter the homes of 890 people receiving residential care.

The UK Information Commissioner, John Edwards, said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.”

The ICO normally fines controllers instead, but has always had the power to fine processors. This is because the primary responsibility for compliance with GDPR falls on the controller. Even so, processors have obligations too. Specifically, those obligations include keeping data secure.

The processor, ACS, can make representations before the ICO issues its formal finding. This might mean the ICO concludes there has been no data breach and might not issue a fine. However, if it does decide to fine the processor, it will be the first time this has happened – and likely cause alarm among processors.

What should you do?

Data controllers: ensure you have a robust contract in place with your processor. This should set out the obligations for the processor, including where the processor is your cloud or IT host or provider. You can’t absolve yourself of all issues, but you will be able to show you took relevant steps.

Processors: make sure you implement security – the so-called “appropriate technical and organisational measures”. These days, that includes multi-factor authentication. Similarly, don’t forget to review and adapt your measures. You need to keep up with threats as they change.