In one of the most significant data protection enforcement actions to emerge from the 2022 wave of NHS cyber attacks, the Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd £3,076,320 following a ransomware incident that compromised the personal data of tens of thousands of patients and disrupted critical NHS services across England.
The case serves as a defining reference point for UK organisations responsible for processing health data and operating critical national infrastructure — and carries stark lessons for data processors at every level.
Summary & Key Facts
| Detail | Information |
|---|---|
| Organisation | Advanced Computer Software Group Ltd (Advanced) |
| Fine | £3,076,320 |
| Enforcing Authority | Information Commissioner’s Office (ICO) |
| Incident Date | August 2022 |
| ICO Decision | 2025 |
| Data subjects affected | 79,404 individuals |
| Type of breach | Ransomware attack — LockBit ransomware variant |
| Services disrupted | NHS 111, Carenotes clinical record system, Adastra, Odyssey |
Advanced is a major software and services provider to the NHS and wider health and social care sector. In the early hours of 4 August 2022, the company’s health and care division suffered a LockBit ransomware attack that took down multiple critical systems — including NHS 111 (the 24-hour health advice line) and Carenotes, a widely-used electronic patient record system. The attack caused weeks of disruption to NHS services, forcing staff to revert to manual paper-based processes.
Personal data compromised in the attack included medical records, NHS numbers, home addresses, and — most concerning — information on how to gain entry to the homes of 890 highly vulnerable individuals receiving care in the community.
ICO’s Findings
The ICO’s investigation found that Advanced had failed to implement adequate technical and organisational security measures to protect the personal data it processed as a data processor on behalf of NHS trusts and health authorities.
Key findings included:
- Absence of multi-factor authentication (MFA) on a critical customer management platform used to remotely access Staffplan Encore, one of the targeted systems. The ransomware actors gained access through this vulnerability.
- Insufficient vulnerability scanning across Advanced’s health and care environment, leaving known weaknesses unpatched at the time of the attack.
- Inadequate network segmentation, allowing the ransomware to propagate beyond its initial entry point and affect multiple interconnected systems.
- Incomplete security testing of systems that processed special category health data.
The ICO emphasised that the initial intrusion vector — a legitimate remote access credential without MFA — was a known and foreseeable risk that industry guidance and security standards had flagged as unacceptable for systems holding health data. The absence of MFA on a remote access gateway processing the personal data of tens of thousands of NHS patients was characterised as a fundamental failure of basic security hygiene.
The Commissioner noted Advanced’s cooperation with the investigation and the remediation steps taken following the incident as mitigating factors, which contributed to the reduction of the final penalty from the provisional £6.09 million announced in August 2024.
GDPR / DPA 2018 Articles Violated
The ICO’s enforcement action was brought under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The primary violations cited were:
Article 5(1)(f) UK GDPR — Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against accidental loss or destruction and against unlawful processing. Advanced’s failure to implement MFA and maintain adequate network security directly breached this principle.
Article 32 UK GDPR — Security of Processing
Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Article 32(1) specifically references encryption, ongoing confidentiality, integrity and availability of systems, and regular testing. Advanced’s vulnerability management and segmentation failings constituted direct breaches of these requirements.
Advanced was acting as a data processor under contracts with NHS organisations (the data controllers). Under Article 28 UK GDPR, processors are independently bound by Article 32 security obligations — a point the ICO reiterated to underscore that processor liability is not contingent on controller direction.
What This Means for Your Organisation
This case establishes several important benchmarks for organisations that process health or other special category data — or that act as data processors for public sector bodies:
Data processors face direct regulatory liability. Advanced’s status as a processor, rather than a controller, did not shield it from enforcement. Any supplier, SaaS provider, or outsourcer handling health data on behalf of an NHS or public sector client carries independent UK GDPR obligations and faces ICO enforcement in its own right.
MFA is now a baseline expectation, not a best practice. The absence of MFA on a remote access gateway was central to the ICO’s finding of inadequate security. The ICO has made clear across multiple enforcement actions that MFA on remote access systems is expected — its absence will be treated as a material failure.
Health data demands a higher security standard. Article 9 UK GDPR designates health data as special category data requiring a higher standard of protection. Organisations processing health records, NHS numbers, or social care information must apply commensurate technical controls — and document their rationale for security decisions.
NHS supply chain contracts create regulated obligations. Suppliers to NHS trusts and other health bodies typically process large volumes of special category data under data processing agreements. Those agreements bind suppliers to UK GDPR Article 32 standards. An incident like Advanced’s exposes both the processor to ICO enforcement and the controller trust to reputational and regulatory risk.
Key Lessons & Action Points
- Enable MFA on all remote access and administrative interfaces — especially those accessing systems containing health, financial, or other sensitive personal data. This is now a regulatory floor, not an aspirational target.
- Conduct regular vulnerability assessments and penetration testing on systems that process personal data. Document findings and remediation timelines. Gaps between identification and remediation need to be risk-assessed and evidenced.
- Segment your network. Flat network architectures that allow ransomware to propagate across systems are incompatible with the Article 32 requirement to maintain confidentiality, integrity, and availability.
- Review your data processing agreements. If your organisation acts as a processor to NHS or public sector clients, ensure your DPAs accurately reflect your security practices — and that your security practices meet the obligations stated.
- Test your incident response plan. Advanced’s post-incident response — including engagement with the NCSC and the NHS — was cited as a mitigating factor. Having a tested, documented incident response plan is both an Article 32 requirement and a factor in enforcement outcomes.
- Train your IT and security teams on UK GDPR obligations. Technical staff need to understand that security failures have data protection consequences — not just operational ones.
Related ICO Guidance
- ICO Guidance on Security — technical and organisational security requirements under UK GDPR
- ICO Guidance on Data Processors — processor obligations and contract requirements
- ICO Security, including cyber security guidance (applicable principles to all organisations)
Further Reading
- ICO Enforcement Register — full list of ICO enforcement actions and decision notices
- UK GDPR Article 32 — Legislation.gov.uk
- NCSC Ransomware Guidance — UK government guidance on protecting organisations from ransomware
All fine amounts and case details have been verified against ICO enforcement records. This article does not constitute legal advice. For legal guidance on your specific circumstances, consult a qualified data protection solicitor.
