Company Check : NHS Supplier Fined £3m Over 2022 Ransomware Failures

A software provider to the NHS has been fined £3.07 million after serious security lapses allowed hackers to steal sensitive personal data in a 2022 ransomware attack.

A Breach With Real-World Impact

The penalty, issued by the Information Commissioner’s Office (ICO), follows a detailed investigation into Advanced Computer Software Group Ltd. In August 2022, the company’s health and care subsidiary was targeted by cybercriminals linked to the LockBit ransomware group. The attackers exploited a customer account that lacked multi-factor authentication (MFA), gaining access to systems used across NHS services.

In total, the personal data of 79,404 individuals was compromised. This included extremely sensitive information such as care plans and (in 890 cases) detailed instructions for entering the homes of vulnerable patients receiving in-home care.

Examples of the seriousness of the effects of the attack include:

– The NHS 111 helpline was forced to revert to manual operations.

– Health professionals across the country were locked out of patient records for extended periods.

– Routine services were thrown into disarray, with some systems offline for weeks.

ICO Says “Fell Seriously Short”

The ICO concluded that Advanced Computer Software Group Ltd had failed to implement basic cybersecurity hygiene expected of an organisation handling high-risk data. While some systems were protected by MFA, coverage was patchy, leaving major entry points exposed. Investigators also found gaps in vulnerability scanning and weaknesses in the company’s patch management processes.

Information Commissioner John Edwards said Advanced’s security “fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.” He added: “People should never have to think twice about whether their medical records are in safe hands.”

Fine Halved From £6m to £3m

The ICO originally proposed a fine of £6.09 million but ultimately reduced the figure by half. The discount followed a voluntary settlement in which Advanced accepted the findings, agreed not to appeal, and worked closely with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and NHS partners in the wake of the breach.

The regulator also acknowledged the company’s efforts to limit the damage and mitigate risks to affected individuals, which contributed to the final penalty being set at £3,076,320.

A Data Processor Under Pressure

As a data processor acting on behalf of healthcare providers, Advanced Computer Software Group Ltd was responsible for protecting information it handled but did not own. That legal duty, the ICO stressed, does not allow for shortcuts. The ICO highlighted how it was not enough to have security measures “in progress” but that they needed to be fully implemented, especially given the volume and sensitivity of the data involved.

This attack, enabled by a single unsecured login, revealed how thinly spread protections can lead to catastrophic consequences when threat actors find a gap.

More Than Just a Cyber Incident

It seems that the fallout in this case extended far beyond IT systems. For example, the data accessed by attackers contained private information used daily by carers, clinicians, and emergency staff. In some cases, the stolen data may have revealed access instructions to individuals’ homes, which is an unprecedented breach of trust and safety for those affected.

For many observers, this incident demonstrated how a breakdown in basic cyber hygiene can translate directly into disruption on the front lines of public health services.

One of the Largest Fines in Years

Advanced’s fine is the highest handed down by the ICO since TikTok was penalised in April 2023 and ranks among the regulator’s top six ever. It places the company alongside British Airways, Marriott, and Interserve in a growing list of high-profile data security failures.

What sets this case apart is the nature of the data compromised, i.e. health and care information linked to some of the most vulnerable people in society. It also highlights how private contractors embedded in public services now face the same scrutiny and accountability as frontline NHS bodies.

What Does This Mean For Your Business?

The clear message from the ICO, illustrated by this case, is that partial protections are not enough. If you’re handling sensitive data, especially as a supplier to critical sectors, every point of access must be secured, monitored, and updated. Incomplete MFA rollout, unpatched vulnerabilities, and weak incident response planning all count as regulatory failures.

This case also highlights how regulators are now expecting more from third-party vendors, and public sector clients are unlikely to forgive repeat offenders. For procurement teams, cyber due diligence is no longer optional. It must include not only accreditations and policies, but proof that systems are fully hardened and actively monitored.

That said, Advanced’s experience shows that cooperation can actually reduce fines, but it doesn’t undo the reputational and operational damage. For suppliers across healthcare, education, and government services, the priority now is clear, i.e. secure the basics or risk losing everything.