The fine follows a ransomware attack in August 2022, where hackers accessed the health and care systems of a subsidiary of the provider. The access occurred through a customer account that lacked multi-factor authentication (MFA).

Key findings:

Impact

The attack disrupted critical services, including certain NHS services and compromised sensitive personal information, including details for access to people’s homes for the provision of care services.

Security failures

The ICO found that the subsidiary lacked comprehensive vulnerability scanning, had inadequate patch management and did not fully implement MFA.

In respect of vulnerability scanning, the ICO held that conducting such scans as part of penetration testing does not exclude the requirement for ongoing, regular scanning mechanisms. Regarding patch management, the ICO found that the subsidiary’s approach to patching was ad hoc, as it did not have a mature patch validation process in place.

Regarding MFA, the ICO found that the deployment of it would likely have prevented the ultimate exfiltration and encryption of the impacted data. The ICO noted that MFA was a widely used industry standard security solution for “years prior to the incident” and is considered best practice.

In reaching the determination that the subsidiary acted negligently, the ICO took into account that the provider had capabilities to implement MFA across all of its products but stated that they did not do so due to a perceived reluctance on the part of their data controller customers. The ICO noted that the provider was unable to evidence this but in any case, the ICO considered that “this is not an acceptable reason not to implement, nor to advise data controller customers to implement, such a fundamental security measure”, particularly when considering the sensitive nature of the data being processed.

Role as processor

The ICO held that it would have been proportionate for the subsidiary, as processor, to have fully implemented fundamental cyber security measures across its entire environment to protect the personal data it processed on behalf of its data controller customer entities.

The ICO noted that per the contractual arrangements between the provider and its controller customer entities, those controller entities would also need to take appropriate security measures to protect their personal data but that this does not reduce the subsidiary’s responsibility to have appropriate technical and organisational measures in place in accordance with Article 32 UK GDPR.

What does this mean?

At a time of increasing cyber-attacks and data incidents, both controllers and processors should consider the technical and organisational measures they have in place to ensure that the level of security is appropriate to the risk presented by the processing.

The decision underlines the importance of implementing appropriate and proportionate technical and organisational measures with the appropriateness and proportionality determined by reference to several factors including the risk presented by the processing, the state of the art and the expected industry standard for organisations of a specific type. Organisations should review and test the technical and organisational measures they have in place on an ongoing basis to ensure they are appropriate.

The EU GDPR and the UK GDPR remain the same at the time of writing and as such the ICO’s decision and its findings are worth noting in an EU context. Whilst not specifically relevant to the decision, controllers and processors should be mindful of the human element involved in security of data processing and the importance of regular security testing, a point that is now specifically and explicitly set out in EU law in the NIS2 Directive for the entities that are subject to it.