UK Fines Software Firm £3.07 Million Over 2022 NHS Ransomware Attack

The ICO's investigation revealed critical security failings at Advanced, marking the first fine in the UK against a data processor for a breach.

The Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for a 2022 ransomware attack that exposed sensitive data of 79,404 individuals.
The attack, attributed to the LockBit ransomware group, disrupted NHS services, including NHS 111, and left staff unable to access patient records.
The ICO found that Advanced failed to implement adequate security measures, including incomplete multi-factor authentication (MFA) and poor vulnerability management.
Sensitive information exposed in the breach included medical records and access details for 890 individuals receiving home care.
The fine, initially proposed at £6.09 million, was reduced due to Advanced's proactive cooperation with the NCSC, NCA, and NHS to address the fallout and improve cybersecurity.