Software provider fined £3m over ransomware attack that disrupted key NHS services

27 March 2025, 07:27 | Updated: 27 March 2025, 10:27

A software provider has been fined £3m over a ransomware attack that disrupted critical NHS services and put the data of tens of thousands of patients at risk.

The Information Commissioner's Office (ICO) said Advanced Computer Software Group - which provides IT and software services to organisations around the country - was fined over security failings.

Hackers were able to access some systems of the firm's health and care subsidiary by using a customer's account which did not have multi-factor authentication (MFA) in August 2022.

An investigation by the UK's data protection watchdog found the personal information of 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.

The ransomware attack also disrupted critical services including NHS 111 and left some healthcare staff unable to access patient records.

The regulator concluded the impacted Advanced subsidiary did not have the appropriate security measures in place prior to the incident.

Read more from Sky News:
Police give update after baby found dead in shopping bag
UK growth forecast halved by watchdog for 2025

Information Commissioner John Edwards said: "The security measures of Advanced's subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

"While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people's sensitive personal information at risk.

"People should never have to think twice about whether their medical records are in safe hands.

"To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information - whether that's using it, sharing it or storing it on behalf of others - is meeting its legal obligations to protect it.

"With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place.

"I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable."

Last year, the ICO had announced its provisional intention to fine Advanced just over £6m, but said the final reduction had occurred because of Advanced's proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack.

(c) Sky News 2025: Software provider fined £3m over ransomware attack that disrupted key NHS services