UK-based technology provider Advanced, a key vendor for the National Health Service (NHS), has been fined more than £3 million after a 2022 ransomware attack exposed personal data and caused massive service disruptions. The UK’s Information Commissioner’s Office (ICO) confirmed the penalty this week, citing the company’s failure to implement basic cybersecurity protocols.
Originally, the ICO had proposed a fine exceeding £6 million in August 2024. However, following discussions and settlement proceedings, the fine was reduced by half. Even with the discount, this case sends a strong signal about the cost of weak security in critical healthcare infrastructure.
According to the ICO, Advanced breached data protection laws by not fully deploying multi-factor authentication (MFA) across its systems. This left the company exposed, and attackers exploited the gap by using stolen credentials to gain unauthorized access. The breach compromised sensitive personal information of tens of thousands of individuals, including patient records stored on NHS systems managed by Advanced.
The attack was linked to the LockBit ransomware gang, a notorious cybercriminal group known for targeting government and healthcare organizations. Once inside the system, the attackers encrypted data and demanded ransom, resulting in widespread system outages. Key NHS services, including patient data management platforms, were brought down for days. The disruption caused significant delays in treatment and put additional pressure on healthcare workers already operating in high-stress environments.
In its findings, the ICO highlighted that Advanced failed to meet even the minimum expectations for protecting personal health information. Multi-factor authentication has become a widely recommended best practice for preventing unauthorized access, especially in sectors handling sensitive data. The watchdog emphasized that had MFA been fully in place, the attack may have been prevented or at least significantly mitigated.
Advanced has since confirmed the settlement, stating it has cooperated fully with the investigation and made several improvements to its cybersecurity infrastructure. A spokesperson noted the company is committed to learning from the incident and ensuring such failures do not recur.
This incident adds to growing concerns about the cybersecurity readiness of vendors that manage critical public sector infrastructure. With healthcare systems increasingly relying on third-party software, the risk of supply chain attacks continues to rise. Experts warn that unless vendors adopt stronger cybersecurity measures, more breaches like this are likely to occur.
The ICO’s decision to fine Advanced underscores the responsibility that private contractors have when managing public data. As ransomware attacks grow in frequency and sophistication, regulators are pushing for tighter security controls and holding companies accountable for lapses that put citizens at risk.
This case serves as a reminder to all healthcare and public sector vendors: cybersecurity is not optional—it’s a fundamental part of protecting public trust and safety.
