NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
It’s half the fine that the Information Commissioner’s Office had initially sought in August 2024, when the data watchdog said it was going to fine Advanced more than £6 million for its security failings.
The ICO said Wednesday that Advanced “broke data protection law” by not fully rolling out multi-factor authentication prior to its breach, which allowed hackers to break in with stolen credentials and steal the personal information of tens of thousands of people across the United Kingdom.
The LockBit ransomware attack on Advanced caused widespread outages across the NHS, including patient data systems that Advanced maintains on behalf of the NHS.
In a statement, Advanced confirmed that it had settled the matter. Advanced declined to name a spokesperson when asked by TechCrunch.
