NHS Vendor Advanced Fined Over £3 Million for Security Failures
October 2023
Background of the Incident
The Information Commissioner’s Office (ICO) confirmed that Advanced, a vendor for the National Health Service (NHS), will incur fines exceeding £3 million ($3.8 million) due to inadequate security practices. This sanction follows a ransomware attack that occurred in 2022.
Reason for the Penalty
The ICO criticized Advanced for failing to implement essential security measures, particularly the full deployment of multi-factor authentication prior to the breach. This oversight enabled cybercriminals to breach their systems using stolen credentials, compromising the personal data of tens of thousands of individuals across the U.K.
Impact of the Ransomware Attack
The ransomware attack, attributed to the LockBit group, resulted in significant disruption within the NHS. Advanced’s systems experienced widespread outages, particularly affecting patient data management systems that the company oversees on behalf of the NHS.
Settlement and Future Considerations
In a recent statement, Advanced acknowledged the resolution of this matter but did not provide details on future security enhancements or policy changes. The ICO had initially proposed a fine of over £6 million in August 2024, indicating the seriousness of the situation and the regulatory body’s commitment to enforcing data protection laws.