Advanced, a key IT vendor for the National Health Service (NHS), has been hit with a fine of £3 million ($3.8 million) for its role in a major ransomware attack that occurred in 2022. The attack, carried out by the LockBit ransomware group, compromised critical NHS systems and exposed the personal data of tens of thousands of individuals across the United Kingdom. This penalty, confirmed by the UK’s Information Commissioner’s Office (ICO), comes after an investigation into Advanced’s failure to implement basic cybersecurity protocols before the breach.
The fine is half of the amount initially proposed by the ICO, which in August 2024 sought a £6 million fine. The regulator’s investigation found that Advanced broke data protection laws by failing to fully deploy multi-factor authentication (MFA), a standard security measure designed to prevent unauthorized access to systems. Had MFA been properly implemented, it’s likely that hackers would not have been able to gain access using stolen credentials, which was the primary means of the attack.
The LockBit ransomware attack caused major disruptions across NHS services, particularly affecting patient data systems that Advanced maintains. These systems are critical for ensuring that healthcare providers can access and update patient information in real time, and their downtime led to significant delays in patient care and operational challenges for the NHS.
In response to the fine, Advanced has confirmed that it has settled the matter but chose not to name a spokesperson when asked for further comment by TechCrunch. The case serves as a cautionary tale for companies handling sensitive data, emphasizing the importance of proactive cybersecurity measures to protect against increasingly sophisticated cyberattacks.
The ICO’s decision to impose this fine highlights the growing scrutiny of organizations’ data protection practices and signals that regulators will continue to take action against companies failing to implement necessary security safeguards.
