Clifford Chance

On 27 March 2025, the Information Commissioner's Office (ICO) imposed a fine of £3.1 million on Advanced Computer Software Group Ltd (Advanced) for security failings that compromised the personal data of 79,404 individuals and caused disruption to the provision of essential healthcare services.

This fine marks the ICO's first penalty imposed on a processor under the UK General Data Protection Regulation (UK GDPR), demonstrating that the ICO will seek to hold processors directly accountable for personal data breach incidents caused as a result of their own failures to implement appropriate technical and organisational measures (TOMs). Data protection authorities in the EU have already handed down similar penalties to processors.

The ICO's monetary penalty notice sets out its reasons for the fine.

What happened?

Advanced provides IT and software services to the healthcare sector, including the NHS.

In August 2022, Advanced suffered a ransomware attack after hackers exploited vulnerabilities in the systems of its health and care subsidiary through accessing a customer account that lacked multi-factor authentication (MFA). This breach led to significant and widespread disruption to the healthcare sector, including patient records being made inaccessible, disruption to critical services such as the NHS 111 helpline and the data of 79,404 people, including patients, being taken. According to the ICO's findings, only on 23 May 2023 had all affected customer systems been restored (almost 300 days later).

The ICO's investigation concluded that Advanced’s subsidiary had failed to implement TOMs to protect the personal data it was processing on behalf of its customers. Identified deficiencies included gaps in the deployment of MFA, insufficient vulnerability scanning, and inadequate patch management. On 7 August 2024, the ICO published its provisional decision to impose a £6.1 million fine. However, this was reduced to £3.1 million following a voluntary settlement.

Why does this matter?

Article 32 of the UK GDPR requires processors to implement TOMs to ensure the security of personal data they process on behalf of controllers. In addition, Article 28 of the UK GDPR specifies that a controller must only use processors providing sufficient guarantees to implement TOMs.

This case is significant as it represents the ICO's first fine against a processor under the UK GDPR. Until now, controllers have been the focus of regulatory enforcement and it is controllers that have the obligation to notify the ICO of personal data breach incidents. However, this decision along with the commentary suggests that the ICO is seeking to send a warning that processors providing services to other organisations have their own independent obligations to ensure that personal data is kept secure and that they implement TOMs.

The penalty is also significant as it provides insight into the ICO's interpretation of TOMs applicable in a highly sensitive environment involving health- and healthcare-related data. The ICO identified as failings the lack of regular vulnerability scanning, the ad hoc nature of patch management, and the inconsistent application of MFA. In particular, a critical vulnerability under the Common Vulnerabilities and Exposures (CVE) regime (with the maximum base score of 10.0 Critical) that was 2 years old had not been remediated, despite related widespread publicity and patches being available. 

Key takeaways

• Processors can be investigated too. This penalty is significant because it shows that despite controllers having the obligation to notify the ICO of personal data breach incidents and being primarily responsible for managing an incident, processors can also form part of the ICO's investigation. Importantly, it recognises the processor's own independent obligations in relation to personal data breaches impacting numerous controllers. Clearly, there are efficiencies from a regulatory perspective to investigating and issuing a penalty against one processor rather than pursuing multiple controllers in relation to the same incident.
• What is 'appropriate'? In its investigation the ICO considered the standard to which Advanced should be held and pointed to Advanced's size, the number of customers it processed personal data for, and the volume and nature of the personal data it processed (in particular, health data / medical records, national insurance numbers, ethnicity, religion, and information on how to get into healthcare clients' homes). It considered that some of the affected data subjects were children. The resulting standard that was expected to be reached was a high one. Organisations processing sensitive categories of personal data in relation to vulnerable individuals should expect to be held to a higher standard and implement more stringent measures.
• Industry standards and best practice. Advanced fell well short in respect of the cybersecurity standards expected of its business, including patch management and—critically in respect of this ransomware attack—MFA. These are all considered to be basic cybersecurity measures that should be implemented by any organisation. In determining the appropriate industry standards, the ICO made reference to its own recommendations and the NCSC's, previous monetary penalty notices it has issued, ISO standards, and the Cyber Essentials certification as relevant to its assessment that Advanced fell short of "fundamental cyber security principles". In particular, these guidelines set the expectation that MFA should involve effective user ID verification as part of a password reset user flow, which would make it harder for a threat actor to again access to an account using password reset functionality.
• Processor breaches can have widespread impact. Only 2% of Advanced's customers were impacted by data exfiltration as part of the ransomware attack itself. The other 98% suffered significant operational impacts because of steps Advanced took to contain the incident, with critical healthcare information systems suffering from downtime or reduced availability.  It is another example of a supply chain attack impacting multiple UK organisations.

Controllers may welcome this decision and, perhaps, it is indicative of a shifting regulatory approach to attributing liability directly to processors which suffer security incidents in light of a rising number of supply chain attacks impacting multiple organisations.

The final amount of the penalty issued is also illustrative of the ICO's willingness to negotiate and the importance of effective regulatory engagement. Advanced was cooperative during the ICO's investigation. In the aftermath of the incident, it worked constructively with the NCSC, the National Crime Agency, and the NHS, notified all customers within 24 hours of discovery, stood up a team to restore infrastructure post incident, and engaged third-party experts to support breach response. It was also a condition of the reduced penalty amount that Advanced would not appeal the penalty in the courts.

Processors in the healthcare sector will always be targets for cyber criminals due to the nature of the personal data they hold and the potential for large-scale disruption commanding senior-management attention and demanding a swift and decisive response. This case serves as a stark reminder to technology vendors with healthcare customers that cybersecurity requires proactive and sustained efforts to defend against threats to the confidentiality, integrity and availability of data, and the information systems that rely on it.

Separately, under the proposed UK Cyber Security and Resilience Bill regulators will soon be empowered to designate high-impact suppliers as "designated critical suppliers". These are expected to be suppliers providing critical services or goods to operators of essential services. These designated suppliers will have to comply with certain "core security" requirements directly and will likely include, at the least, incident-reporting obligations demonstrating further focus and scrutiny on the resilience of supply chains.