Advanced: NHS software provider fined £3m over 2022 ransomware attack that exposed data of 79,000 patients

The Information Commissioner’s Office (ICO) confirmed that Advanced Computer Software Group Ltd, a software provider to healthcare organisations including the NHS, has been fined £3.07 million after hackers gained access to sensitive data affecting more than 79,000 people.

The attack, which occurred in August 2022, disrupted critical NHS services such as NHS 111 and prevented some staff from accessing patient records. The ICO said the attackers were able to infiltrate systems belonging to Advanced’s health and care subsidiary by using a customer account that lacked multi-factor authentication (MFA).

The breach led to the theft of personal data from 79,404 individuals, including entry instructions to the homes of 890 people receiving care at home.

The ICO found that the company failed to have appropriate technical and organisational measures in place to secure its systems before the incident. This included incomplete MFA coverage, insufficient vulnerability scanning, and inadequate patch management.

Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

He added: “People should never have to think twice about whether their medical records are in safe hands.

“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today… there is no excuse for leaving any part of your system vulnerable.”

Originally, the ICO proposed a £6.09 million fine in August 2024. However, the final penalty was reduced after Advanced cooperated with authorities, including the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS, and took steps to mitigate the impact of the breach.

A voluntary settlement has now been reached, with Advanced acknowledging the ICO’s findings and agreeing to pay the reduced fine without appealing.

Mr Edwards said: “I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”

The full penalty notice will be available on the ICO’s website on March 27.