Advanced, a vendor for the National Health Service (NHS), is set to pay over £3 million ($3.8 million) in fines after failing to implement basic security measures prior to a ransomware attack in 2022, as confirmed by the United Kingdom’s data protection regulator. The fines imposed amount to half of the sum initially proposed by the Information Commissioner’s Office (ICO) in August 2024, when the agency announced its intention to fine Advanced more than £6 million for its security deficiencies.
The ICO stated that Advanced violated data protection laws by not fully deploying multi-factor authentication before the breach. This oversight allowed hackers to use stolen credentials to gain unauthorized access and compromise the personal information of tens of thousands of individuals in the United Kingdom.
The incident, known as the LockBit ransomware attack, resulted in significant disruptions across the NHS, affecting various patient data systems managed by Advanced for the NHS. In response to these events, Advanced confirmed in a statement that the issue has been resolved. When approached by TechCrunch, the company declined to provide the name of a spokesperson.
