Software provider fined £3m over ransomware attack that hit NHS services

27 March 2025, 00:04

A woman’s hand pressing keys of a laptop keyboard
Cyber Monitoring Centre. Picture: PA

The Information Commissioner’s Office said Advanced Computer Software Group had been fined over security failings that put personal data at risk.

The UK’s data protection watchdog has fined a software provider £3 million over a 2022 ransomware incident which disrupted some NHS services.

The Information Commissioner’s Office (ICO) said Advanced Computer Software Group had been fined over security failings that put the personal information of 79,404 people at risk.

The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information as part of its role as a data processor.

The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information

Information Commissioner John Edwards

The incident, in August 2022, saw hackers access some systems of Advanced’s health and care subsidiary using a customer account that did not have multi-factor authentication (MFA) in place, with the attack leading to the disruption of critical services including NHS 111, and left some healthcare staff unable to access patient records.

The ICO’s investigation into the incident found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.

The regulator concluded that the impacted Advanced subsidiary did not have the appropriate security measures in place prior to the incident.

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk

Information Commissioner John Edwards

Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.

“People should never have to think twice about whether their medical records are in safe hands.

“To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.

I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable

Information Commissioner John Edwards

“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place.

“I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

Last year, the ICO had announced its provisional intention to fine Advanced just over £6 million, but said the final reduction in the fine had occurred because of Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack.

By Press Association

More Technology News

See more More Technology News

Sir Elton John performing

Elton John says ‘we will not back down’ in awards speech addressing AI concerns

Live
Customers purchase Nintendo Switch 2 at an electronics retailer in Tokyo on June 5, 2025.

Nintendo Switch 2 launch live: Where to buy, best deals, and early verdict

In this photo illustration, an Apple logo is seen displayed alongside the Google logo.

Tech giants Apple and Google 'profiting from phone thefts', MPs claim

A man's hands using a laptop keyboard

Scots warned of ‘scamdemic’ as £860,000 lost to cyber criminals in 12 months

A close up image of a The North Face fleece

North Face and Cartier customer data stolen in cyber attacks

Imagery of a Zilch payments card and a virtual card

Buy now pay later provider Zilch to launch first physical card

UK’s most EV-friendly city has been revealed by new research.

Cities with slowest EV charging times and least amount of chargers revealed

View of a VodafoneThree logo outside the firm's offices

Vodafone completes Three UK mega-merger to form ‘new force’ in mobile market

A hand holding a Monzo bank card and a mobile phone showing the Monzo app

Monzo annual profit surges as paying subscribers boost digital bank

Majestic British Airways Airbus A380 taking off from London Heathrow at sunset, amazing colors

UK airspace shake-up could slash journey times and cut flight delays for millions of passengers

File photo dated 30/05/25 of the saltmarsh at Abbotts Hall in Essex. Saltmarshes are 'significant' carbon stores, but are at risk from rising sea levels, new research reveals

UK's muddy saltmarshes vital to tackle climate change, report finds

Nigel Farage

Reform backs cryptocurrency tax cut as party receives first Bitcoin donations

Digital devices on office workplace table of young business woman

‘Young people and black workers at highest risk of workplace surveillance’

Debris from the Titan submersible, recovered from the ocean floor near the wreck of the Titanic, is unloaded from the ship Horizon Arctic at the Canadian Coast Guard pier in St. John's, Newfoundland, in June 2023

The shock household item discovered in 'sludge' of OceanGate sub wreckage

Google is facing a £25 billion legal claim in the UK, accusing the tech giant of abusing its dominant position in the online search advertising market

Google facing £25 billion legal claim over abuse of search advertising market

A hand holding a phone showing the Nvidia logo

Nvidia posts strong growth despite ongoing tariff challenges