NHS Vendor Fined £3m After 2022 Ransomware Attack

Advanced Faces Over £3 Million Fine for 2022 Ransomware Attack

A penalty exceeding £3 million (approximately $3.8 million) has been levied against NHS vendor Advanced by the U.K.’s data protection regulator. This fine stems from a failure to establish fundamental security protocols prior to a ransomware incident that occurred in 2022.

Reduced Fine from Initial Proposal

The imposed fine represents a reduction from the initial £6 million penalty proposed by the Information Commissioner’s Office (ICO) in August 2024. The ICO had originally intended to pursue a more substantial fine due to the severity of Advanced’s security deficiencies.

Lack of Multi-Factor Authentication Cited

According to the ICO, Advanced violated data protection regulations by not fully deploying multi-factor authentication before the security breach. This omission enabled unauthorized access via compromised credentials, leading to the theft of personal data belonging to a significant number of individuals throughout the United Kingdom.

Impact on NHS Services

The LockBit ransomware attack targeting Advanced resulted in extensive disruptions to NHS operations. Systems managing patient data, which Advanced was responsible for maintaining on behalf of the National Health Service, were significantly affected.

Advanced Confirms Settlement

Advanced has acknowledged settling the dispute with the ICO. The company opted not to designate a spokesperson for comment when approached by TechCrunch regarding the matter.

The incident underscores the critical importance of robust cybersecurity measures, particularly multi-factor authentication, in protecting sensitive data within the healthcare sector.

Key Takeaways

• Advanced has been fined over £3 million for a 2022 ransomware attack.
• The ICO initially proposed a £6 million fine.
• Failure to implement multi-factor authentication was a key factor in the breach.
• The attack caused widespread disruption to NHS services.