NHS vendor Advanced will pay a small £3 million ($3.8 million) fine for failing to implement basic security measures before being hit by a ransomware attack in 2022, UK data protection regulator confirmed.
It was half of the fines the intelligence officer's office initially sought in August 2024, and Data Watchdog said it would raise more than £6 million due to security failures.
The ICO said Wednesday it had proceeded to “break data protection laws” by not fully deploying multifactor authentication prior to the violation. It said that hackers can break in with stolen qualifications and steal the personal information of tens of thousands of people across the UK.
The Lockbit ransomware attack on Advanced has resulted in a wide range of outages across the NHS, including the patient data systems that Advanced maintains on behalf of the NHS.
In a statement, Advanced confirmed that it resolved the issue. Advanced refused to name the spokesman when asked by TechCrunch.