The UK's Information Commissioner's Office (ICO) has fined Advanced Computer Software Group £3.07 million ($3.95 million) due to security failures that led to a ransomware attack impacting NHS services.

The ICO's investigation revealed that Advanced failed to implement sufficient technical and organizational security measures, such as inadequate multi-factor authentication and poor patch management.

Initially facing a provisional fine of £6 million in August 2024, Advanced's penalty was reduced after the company demonstrated proactive engagement with security authorities and took steps to mitigate risks following the attack.

Advanced has accepted the reduced fine without appealing, acknowledging the ICO's decision and highlighting their commitment to improving cybersecurity practices.

The ransomware attack, attributed to the LockBit group, disrupted essential NHS services, including NHS 111, and affected healthcare workers' access to patient records.

The breach compromised the personal information of 79,404 individuals, including sensitive data of 890 vulnerable patients receiving home care.

Hackers gained access through compromised credentials, establishing a remote desktop protocol session on a Staffplan Citrix server and moving laterally into Advanced's environment.

John Edwards, the UK Information Commissioner, criticized Advanced's security protocols for falling significantly short of expected standards for handling sensitive information.

Trevor Dearing from Illumio remarked that this fine should serve as a wake-up call for businesses to prioritize basic cybersecurity measures to limit the impact of attacks.

An Advanced spokesperson expressed regret over the incident, emphasizing the importance of ongoing investment in cybersecurity and their commitment to supporting customers.

Previous notable ICO fines against data controllers include a £20 million fine for British Airways and an £18.4 million fine for Marriott, underscoring the severity of data protection violations in the UK.

This fine marks the largest imposed by the ICO in nearly two years and is the sixth highest penalty in the ICO's history.