Advanced Fined £3M For Cyberattack That Exposed Data Of 79,000 NHS Patients

Image by Ian Taylor, from Unsplash

Advanced Fined £3M For Cyberattack That Exposed Data Of 79,000 NHS Patients

Reading time: 2 min

Updated on Mar 31, 2025

A major NHS software supplier was fined £3.07 million for failing to implement proper security measures before a 2022 ransomware attack that exposed the personal data of 79,000 people, as confirmed by the U.K.’s data protection regulator (ICO).

In a rush? Here are the quick facts:

  • Hackers exploited missing multi-factor authentication, stealing data from nearly 79,000 people.
  • NHS 111 and patient records access were disrupted due to the breach.
  • ICO initially proposed a £6.09M fine but reduced it after Advanced cooperated.

Advanced Computer Software Group Ltd (Advanced) received an ICO penalty for violating data protection regulations because its systems lacked complete multi-factor authentication (MFA) implementation.

The attackers took advantage of this security weakness to break into the health and care subsidiary of the company and steal sensitive data while disrupting NHS 111 services, as noted by ICO.

John Edwards who serves as the UK’s Information Commissioner expressed his disappointment about the security weaknesses found in Advanced’s subsidiary operations.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk,’’ he stated as reported by ICO

“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it,’’ he added.

The LockBit ransomware group carried out an attack that caused extensive system outages throughout the network. Healthcare workers lost their ability to access patient records while the home entry details of 890 people receiving home care became exposed to unauthorized parties, as reported by the BBC.

The ICO had first set the fine at £6.09 million before reducing it due to Advanced’s cooperation with law enforcement and cybersecurity agencies such as the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The company accepted the ICO decision without contestation and chose not to file an appeal.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...