NHS Vendor Advanced Ordered to Pay £3 Million Fine Following 2022 Ransomware Attack
London, UK – March 27, 2025
A major IT services provider to the UK’s National Health Service (NHS), Advanced Computer Software Group Ltd (Advanced), has been fined £3.07 million ($3.8 million) by the UK’s Information Commissioner’s Office (ICO) for security lapses that led to a devastating ransomware attack in August 2022. The breach compromised the personal data of over 79,000 individuals and caused widespread disruption to critical NHS services, including the NHS 111 helpline.
The ICO’s investigation revealed that hackers, believed to be part of the notorious LockBit ransomware gang, gained access to Advanced’s systems through a customer account lacking multi-factor authentication (MFA). This vulnerability allowed cybercriminals to steal sensitive information, including phone numbers, medical records, and, in a particularly alarming breach, instructions for entering the homes of 890 vulnerable individuals receiving at-home care. The attack forced NHS staff to resort to pen-and-paper operations, severely impacting patient care and exacerbating pressure on an already strained healthcare system.
Initially, the ICO proposed a £6.09 million penalty in August 2024, citing Advanced’s failure to implement adequate security measures despite its role as a data processor for the NHS and other healthcare providers. However, the fine was reduced by nearly half following a voluntary settlement. The ICO noted Advanced’s cooperation with authorities, including the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS, as well as its efforts to mitigate risks post-attack, as reasons for the reduction. The company agreed to pay the fine without appealing, bringing regulatory closure to the incident.
Information Commissioner John Edwards emphasized the gravity of the breach, stating, “People should never have to think twice about whether their medical records are in safe hands. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.” Edwards urged all organizations, particularly those handling sensitive health data, to ensure robust security measures like MFA are universally applied, warning that “there is no excuse for leaving any part of your system vulnerable.”
The ransomware attack, which unfolded in August 2022, sent shockwaves through the NHS, disrupting services such as ambulance dispatches, out-of-hours GP bookings, and emergency prescriptions. At the time, the Welsh Ambulance Service reported a “major outage,” with effects felt across all four UK nations. Advanced, which provides software solutions like Adastra for patient management, acknowledged that 16 of its 550+ customers were affected, with data relating to 79,404 individuals exfiltrated. The company has maintained that no stolen data was published on the dark web and that patient data controlled by NHS Trusts remained secure.
The £3 million fine marks one of the ICO’s most significant penalties in recent years and underscores the growing threat of cyberattacks on critical infrastructure. It follows a string of ransomware incidents targeting the NHS, including a 2024 attack on pathology provider Synnovis, which disrupted London hospitals and delayed thousands of appointments. Experts see the Advanced case as a wake-up call for healthcare vendors to prioritize cybersecurity, especially as cybercrime groups like LockBit—dismantled by the NCA in early 2024—continue to evolve.
Advanced, now trading as OneAdvanced, expressed regret over the incident. A spokesperson said, “Since the attack in August 2022, we have transformed our business and are a more secure and resilient company than we were two years ago. We apologize to our customers and have worked tirelessly to support them throughout this ordeal.” The company reportedly spent £18.3 million on remediation efforts in the immediate aftermath and an additional £3 million in the 2023-24 financial year to bolster its defenses.
As cyber threats escalate across all sectors, the ICO’s decision serves as a stark reminder of the consequences of inadequate security. With the full penalty notice set to be published on the ICO’s website today, March 27, 2025, the case is likely to fuel ongoing debates about accountability, data protection, and the resilience of public services in the digital age.