Healthcare cybersecurity wake-up call: OneAdvanced fined £3.07m

On 7 August 2024, the United Kingdom’s (“UK”) data protection supervisory authority, the Information Commissioner's Office (“ICO”) announced its provisional decision to impose a £6.09 million fine on Advanced Computer Software Group Ltd (“OneAdvanced”). The penalty was in response to the company's failure to implement adequate security measures, leading to a significant ransomware attack in August 2022.

This breach resulted in the compromise of personal data relating to 82,946 individuals (79,404 of which were associated with UK-based data controllers). Of those individuals, 41,196 had special category data exfiltrated. OneAdvanced was acting in the capacity of a data processor on behalf of its clients, many of whom operate in the healthcare sector. As a key Information Technology (“IT”) service provider for organisations like the National Health Service (“NHS”), OneAdvanced's shortcomings raised serious concerns about data protection practices within critical sectors.

Following OneAdvanced’s representations, the ICO has now issued its final decision. On 28 March 2025, the ICO confirmed that OneAdvanced’s health and care subsidiary violated data protection law by failing to fully implement appropriate security measures before the 2022 attack such as:

• Vulnerability scanning – the automated process of detecting defects in an organisation’s security program.

• Patch management – ensures that systems have the latest security updates and includes fixes for various vulnerabilities.

• Multi-factor authentication (“MFA”) – a security measure that requires users to provide two or more verification factors to gain access to a system, significantly reducing the risk of unauthorised access.

As part of a voluntary settlement, OneAdvanced has acknowledged the ICO’s decision and agreed to pay a reduced fine of £3.07 million without appeal.

How did OneAdvanced’s security lapses lead to a major data breach?

• OneAdvanced’s security shortcomings were directly responsible for a severe data breach that significantly disrupted essential healthcare services across the UK. The attack was executed by the LockBit ransomware group, which gained access to OneAdvanced's network by exploiting weak security protocols.

• Specifically, the attackers exploited a customer account that did not have MFA enabled. This security lapse allowed them to establish a remote desktop protocol (“RDP”) session on a Staffplan Citrix server, a key component in OneAdvanced's IT infrastructure.

• Once inside the network, the attackers moved laterally across systems, escalating their privileges and exfiltrating sensitive personal data.

• The stolen data included names, phone numbers, home addresses and information contained in medical records – such as details of care provided, and, in some cases, instructions on how to access the homes of nearly 890 individuals receiving care at home.

• The attackers ultimately deployed their ransomware, locking critical systems and causing widespread disruption, particularly to the NHS's 111 advice service, which relies heavily on OneAdvanced's clinical patient management system.

• Despite the severity of the breach, OneAdvanced reported that there was no evidence of the stolen data being published on the dark web. However, the damage was extensive, with nearly 79,404 individuals affected by the compromise of their data which included special category data in their sensitive medical records.

How has the ICO responded to OneAdvanced’s data breach?

• The ICO has now confirmed that OneAdvanced’s health and care subsidiary breached data protection law by failing to fully implement appropriate security measures prior to the 2022 ransomware attack.

• The final penalty imposed is £3.07 million, reduced from the initial proposed fine of £6.09 million following OneAdvanced’s representations and its proactive engagement with regulatory bodies such as the National Cyber Security Centre (“NCSC”) and the National Crime Agency (“NCA”) after the attack.

• John Edwards, the UK Information Commissioner, stressed that OneAdvanced’s security measures, “fell seriously short" of what is expected for an organisation handling sensitive health data.

• He emphasised that, “while OneAdvanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

• The ICO found that OneAdvanced had failed to deploy vulnerability scanning in its healthcare environment, despite having such measures in place in its corporate environment. The ICO emphasised that ad-hoc penetration testing was insufficient and organisations must establish a structured vulnerability scanning program with regular assessments.

• The ICO's decision referenced standard such as ISO 27002:2017, which requires organisations to monitor technical vulnerabilities in a timely manner and act on associated risks. OneAdvanced was aware of major threats like the widely publicised Zerologon vulnerability from 2020, but did not confirm whether patches had been applied or were effective in the affected environment.

• Although OneAdvanced cited customer resistance as a reason for not enforcing MFA across all systems, the ICO rejected this rationale, stressing that it had a duty to advise and support data controllers in securing sensitive data, as required under Article 28(3)(f) of the UK GDRP.

How has OneAdvanced responded to the ICO’s investigation?

• OneAdvanced has acknowledged the ICO’s decision and agreed to the voluntary settlement, avoiding a lengthy appeals process.

• OneAdvanced has reiterated its commitment to addressing the issues raised and has been actively working with cybersecurity agencies to enhance its security measures.

• OneAdvanced confirmed that since the attack, it has made substantial investments in security improvements, including spending £18.3 million on recovery measures immediately after the incident and an additional £3 million in the following financial year. It has expressed deep regret over the incident and reassured customers that patient data controlled by NHS Trusts was not compromised.

Looking ahead

The OneAdvanced case is a stark reminder of the importance of robust data security practices, particularly for organisations managing sensitive information. Nearly 18 months after the ransomware attack, the incident continues to drive conversations around data protection and the accountability of third-party providers in critical sectors. The ICO’s final decision highlights the need for all organisations to prioritise cybersecurity, adapt to evolving threats and restore public trust in their ability to protect personal data.

Aria Grace Law CIC

With the increasing frequency and impact of personal data breaches – particularly those involving ransomware, our data privacy team’s expertise has never been more vital. Recent enforcement actions by the ICO underscore the urgent need for organisations to implement robust breach response procedures and security governance.

Ransomware is a type of malicious software that unlawfully encrypts files on a host computer system, making them inaccessible until a ransom is paid. Aria Grace Law CIC’s data privacy team specialises in guiding organisations through the legal and operational challenges of data protection and breach management. We offer comprehensive support to organisations facing data breaches including:

• Incident response - we help manage and contain breaches efficiently, minimising disruption and reducing potential damage.

• Compliance - we ensure that your response aligns with the relevant data protection laws, including the UK and EU General Data Protection Regulation 2016/679 (“EU GDPR”) such as handling notifications to the relevant data protection supervisory authority and affected individuals.

• Contractual review – we help review data processing agreements to ensure that appropriate data breach clauses are included. While data processors are not directly responsible for notifying the ICO, they must inform the data controller of any breach without undue delay under Article 33(3) of the UK GDPR. In practice, we recommend that processor-controller agreements specify a clear notification timeframe – such as within 24 to 48 hours – to enable the controller to meet its own legal duty to notify the ICO within 72 of becoming aware of a personal data breach.

With the rise in ransomware attacks and the complexities they introduce, partnering with our data privacy experts can help you navigate these challenges effectively and maintain robust data protection practices. Contact us at privacy@aria-grace.com to learn how we can assist in protecting your organisation.

Article by Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 30 April 2025