A £3 million fine has landed on the desk of Advanced Computer Software Group, a key player in providing IT solutions across the UK. The penalty, issued by the Information Commissioner’s Office (ICO), stems from a ransomware attack in August 2022 that threw NHS services into chaos and exposed the personal data of tens of thousands of patients. This wasn’t a minor breach.
The attack exploited a weak spot: a customer account lacking multi-factor authentication (MFA). Hackers slipped through this gap, accessing systems managed by Advanced’s health and care subsidiary. The fallout? Personal details of 79,404 individuals were stolen, including sensitive information about how to enter the homes of 890 people receiving at-home care. Imagine the vulnerability: caregivers unable to protect those who depend on them most.
Critical services took a hit too. NHS 111, a lifeline for urgent medical advice, faltered. Healthcare workers scrambled, unable to access patient records when time mattered most. The ICO’s investigation laid bare the truth, Advanced’s subsidiary failed to lock down its systems adequately before the breach occurred.
John Edwards, the Information Commissioner, didn’t mince words, “The security measures of Advanced's subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.” He pointed to a glaring oversight. While Advanced had rolled out MFA across much of its infrastructure, gaps remained, gaps wide enough for hackers to stroll through. “While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people's sensitive personal information at risk,” Edwards added.
This breach wasn’t just a technical failure; it was a betrayal of trust. “People should never have to think twice about whether their medical records are in safe hands,” Edwards stressed. Patients expect security, not excuses. Yet, in this case, a single unprotected account broke confidence in a system handling life-and-death data.
Edwards drove the point home: “To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information, whether that's using it, sharing it or storing it on behalf of others, is meeting its legal obligations to protect it.” Cyber threats aren’t slowing down. “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place,” he warned. His advice? Secure every external connection with MFA now. “There is no excuse for leaving any part of your system vulnerable.”
The fine could have stung harder. Last year, the ICO signalled a provisional penalty of over £6 million. Advanced dodged the full blow, thanks to its swift cooperation with the National Cyber Security Centre, the National Crime Agency, and the NHS after the attack. That collaboration shaved millions off the final tally, but it doesn’t erase the damage done.
This case raises a sharp question: how many organisations still gamble with incomplete defences? The NHS breach wasn’t an isolated fluke, it’s a clear example of what happens when security lags behind responsibility. For Advanced, £3 million is the price of that lesson.
Comments