The UK Information Commissioner’s Office (ICO) has issued a £3.07 million fine on Advanced Computer Software Group Ltd for a 2022 ransomware attack that exposed the sensitive personal data of 79,404 people, including National Health Service (NHS) patients.

The cyberattack was announced in early August 2022 when various NHS services, including 111 emergency services, suffered significant outages, pointing to a breach at British managed service provider (MSP) Advanced.

Advanced provided NHS with various patient management and health-related products such as Adastra, Caresys, Carenotes, Odyssey, Crosscare, Staffplan, and eFinancials.

The company didn’t share many details about which ransomware group had compromised them, but in the days that followed, it became clear that recovery would take long, even with the help from experts at Mandiant and Microsoft.

It was later revealed that the LockBit ransomware group was responsible for the attack, leveraging compromised credentials to set up a remote desktop protocol (RDP) session on a Staffplan Citrix server before they moved laterally into the organization’s environment.

Today, the ICO has announced a hefty £3.07 million ($3.95 million) fine on Advanced as a penalty for failing to safeguard sensitive data and systems against hackers.

ICO highlights in its announcement the software vendor’s failure to implement adequate security measures that would prevent the breach that caused data exposure and life-risking health service outages.

These omissions mainly concern poor vulnerability scanning, inadequate patch management, and lack of universal multi-factor authentication (MFA) coverage.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organization processing such a large volume of sensitive information,” stated Information Commissioner John Edwards.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

It’s worth noting that the fine imposed on Advanced for the 2022 ransomware incident is significantly reduced compared to the £6.09M ($7.74 million) figure that ICO considered previously and announced in August 2024.

However, this is significant because it is the first fine in the UK imposed on a data processor rather than a data controller.

Notable cases of past ICO fines on data controllers include the record £20 million fine on British Airways for a 2018 data breach and a £18.4 million fine on Marriott for a 2014 security incident.