The Information Commissioner’s Office this week fined Advanced £3.07m for security failings following a ransomware attack in 2022. While this fine focuses on the impact to 79,404 Advanced healthcare customers, it is the first fine awarded to a ‘data processor’, which is a term that applies to many companies operating in the legal tech space.
Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations as their data processor. In August 2022, hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.
The investigation found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.
In handing out the fine, the ICO said that a subsidiary of Advanced broke data protection law by failing to fully implement appropriate security measures such as multi factor authentication coverage prior to 2022 attack. They also highlighted a lack of comprehensive vulnerability scanning and inadequate patch management. Advanced reached a voluntary settlement, acknowledging the regulator’s decision and agreeing to pay the reduced fine without an appeal.
Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”
The regulator announced its provisional intention to fine Advanced £6.09m in August 2024. Advanced then submitted representations on the provisional decision, which have been considered by the ICO. Several factors from these representations led to a reduction in the fine, including Advanced’s proactive engagement with the NCSC, the NCA, and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted.
In terms of the significance of this fine to the legal tech sector, Tim Hyman, CEO of legal data protection consultancy 2twenty4 Consulting said: “Although this penalty is focussed on the impact within the healthcare sector, there are clear parallels to law firms processing health related data using third-party software vendors.
“We have seen fines and reprimands for law firms but this is the first fine awarded to a ‘Data Processor’ which is GDPR speak for any service provider processing personal data ‘on behalf of’ a Data Controller – so think document management/case management etc. The full details, including the factors used to calculate the penalty are available on the ICO website and they list ‘gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management’ as the significant contributing factors.”
Not covered in the ICO report but questioned by many commentators, Hyman says, is whether the customers of Advanced software should also take some responsibility and whether this reflects on sub-standard vendor due-diligence.
“This fine should be seen as a reminder to both law firms and their legal tech vendors that the appropriate protections and security must cover the entire lifecycle of client data from the point of collection to its deletion including where it is shared with or hosted by third-party service providers,” he said. “With AI increasingly pervasive in legal, and for many provided by a third-party – how thorough is your vendor due-diligence?”
A spokesperson for Advanced told us: “What happened over two and a half years ago is wholly regrettable. With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.
“We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals.”