NHS Vendor ‘Advanced’ Faces £6 Million Fine for Poor Cybersecurity Against 2022 LockBit Attack

• IT services provider Advanced risks a fine for the lack of proper cybersecurity measures.
• The NHS vendor offered customer accounts with no multi-factor authentication.
• The ICO implies that a 2022 ransomware attack disrupting NHS services across the U.K. could have been prevented.

Software firm Advanced could be issued a £6.09 million ($7.75 million) fine for the NHS data breach after an investigation revealed the information stolen in the August 2022 LockBit ransomware attack was not properly secured by the NHS vendor, according to a statement by the U.K.’s Information Commissioner’s Office (ICO).

The decision to issue a provisional fine came after the ICO determined that the cybercriminals gained initial access via a few of the IT services provider’s systems using a customer account without multi-factor authentication (MFA), ultimately exfiltrating phone numbers and medical records of 82,946 people and crippling NHS services across the country.

Advanced later said that legitimate third-party credentials were used to infiltrate the company’s network, which means no MFA was enabled, and ICO has confirmed this now.

The ICO said Advanced provisionally breached data protection laws by “failing to implement appropriate security measures prior to the attack,” which would have helped protect the sensitive user information the company was storing.

Incident response firm Mandiant concluded LockBit 3.0 was deployed in the security incident, though the LockBit ransomware gang never publicly claimed responsibility for the cyberattack.

LockBit has functioned as a Ransomware-as-a-Service (RaaS) affiliate-based variant since January 2020. Law enforcement shut down LockBit's infrastructure in February 2024 through Operation Cronos, seizing servers with decryption keys.

Cyberattacks on the healthcare industry keep coming in. This month, Calibrated Healthcare announced a data breach that affected its systems earlier this year, exposing its patients’ sensitive information.

In July, HealthEquity announced suffering a security breach in March that affected 4.3 million customers due to data stolen from a third party with access to HealthEquity’s SharePoint data. American company Change Healthcare was hit by a ransomware attack earlier this year, which impacted its customer database, exposing personal details such as health and PII.