Software provider fined £3m over ransomware attack that hit NHS services

27 March 2025, 00:04

A woman’s hand pressing keys of a laptop keyboard
Cyber Monitoring Centre. Picture: PA

The Information Commissioner’s Office said Advanced Computer Software Group had been fined over security failings that put personal data at risk.

The UK’s data protection watchdog has fined a software provider £3 million over a 2022 ransomware incident which disrupted some NHS services.

The Information Commissioner’s Office (ICO) said Advanced Computer Software Group had been fined over security failings that put the personal information of 79,404 people at risk.

The firm provides IT and software services to organisations around the country, including the NHS and other health providers, handling information as part of its role as a data processor.

The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information

Information Commissioner John Edwards

The incident, in August 2022, saw hackers access some systems of Advanced’s health and care subsidiary using a customer account that did not have multi-factor authentication (MFA) in place, with the attack leading to the disruption of critical services including NHS 111, and left some healthcare staff unable to access patient records.

The ICO’s investigation into the incident found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.

The regulator concluded that the impacted Advanced subsidiary did not have the appropriate security measures in place prior to the incident.

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk

Information Commissioner John Edwards

Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.

“People should never have to think twice about whether their medical records are in safe hands.

“To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.

I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable

Information Commissioner John Edwards

“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place.

“I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

Last year, the ICO had announced its provisional intention to fine Advanced just over £6 million, but said the final reduction in the fine had occurred because of Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack.

By Press Association

More Technology News

See more More Technology News

Pathology services provider Synnovis was the victim of a ransomware attack by a Russian cyber gang in June last year

Russian gang’s cyber attack on blood services ‘harmed 170 patients’

23andMe fined millions by watchdog after ‘profoundly damaging’ cyber attack exposing genetic data

23andMe fined millions by watchdog after ‘profoundly damaging’ cyber attack exposing genetic data

Scotland 2050 conference

‘Destructive’ social media will transform politics ‘for a generation’ – Forbes

View of Centre Court full of spectators watching a game at Wimbledon All England Lawn Tennis Club Championships. Wimbledon.

Wimbledon adopts AI for 2025 Championships with All England club introducing in-match analysis

Th new feature that lets you and a friend pair up and match with other pairs

Tinder launches 'double date' feature in bid to attract 'low pressure' Gen Z

An avocado bathroom suite built in the 70's.

Young homeowners ‘favour avocado bathrooms, relaxation zones and panelled walls’

Meta to introduce ads on WhatsApp as US tech giant reverses ‘no ads’ stance on world’s most popular messaging app

Meta to introduce ads on WhatsApp as US tech giant reverses ‘no ads’ stance on world’s most popular messaging app

Captain Cook's legendary ship has been discovered

Mystery of Captain Cook's lost ship solved after 250 years as scientists discover exact location of the HMS Endeavour

The ancient lost world was discovered in East Antarctica.

Lost world unearthed beneath Antarctica ice after 34 million years

Taoiseach Micheal Martin, Northern Ireland First Minister Michelle O’Neill and deputy First Minister Emma Little-Pengelly during the British-Irish Council (BIC) summit at the Slieve Donard resort in C

Leaders share healthcare and efficiency hopes for AI at British-Irish Council

Three and Vodafone

VodafoneThree promises better coverage at ‘no extra cost’ within months

The Khankhuuluu species weighed 750 kilograms, about the size of a horse

Newly discovered ‘Dragon Prince’ dinosaur rewrites history of T.rex

Aviation technology company Sita said 33.4 million bags were mishandled in 2024, compared with 33.8 million during the previous year.

Airlines lose fewer bags as tracking tech takes off as bosses say passengers expect similar service to a 'delivery app'

Social media app icons displayed on an Apple iPhone

Social media giants can ‘get on’ and tackle fraud cases, says City watchdog

Experts have warned about the risks posed by period tracking apps (Alamy/PA)

Experts warn of risks linked to period tracker apps

Data (Use and Access) Bill

Lords’ objections to Data Bill over copyright threatens its existence – minister