NHS vendor Advanced has been fined just over £3 million ($3.8 million) for failing to implement basic security measures before a ransomware attack in 2022, according to the U.K.’s data protection regulator.
The Fine
The Information Commissioner’s Office (ICO) initially sought a fine of over £6 million for Advanced’s security failings, but settled on the lower amount. The ICO stated that Advanced violated data protection laws by not fully implementing multi-factor authentication, allowing hackers to access personal information of tens of thousands of individuals in the UK.
The Attack
The ransomware attack by LockBit on Advanced resulted in widespread outages across the NHS, impacting patient data systems maintained by Advanced on behalf of the NHS.
Advanced confirmed the settlement but declined to provide further details or a spokesperson.
