cybersecurityTechnology · 2024

Advanced Computer Software Group Limited

Advanced Computer Software Group, supplier of NHS 111 and other critical healthcare IT services, was fined for an August 2022 ransomware attack that disrupted NHS services and compromised personal data of 82,946 patients. The ICO found Advanced had failed to implement multi-factor authentication across its systems, had inadequate vulnerability scanning, and had not conducted a DPIA for the health systems it managed — forcing NHS 111 to revert to paper records and disrupting ambulance dispatch across England. The fine was reduced from an initial notice of £6.09 million following representations.

Fine Imposed€3.6M

Authority

ICO-UK

Regulation

NIS Regulations 2018 (Network and Information Systems)

Max fineUp to £17M per violation; competent authorities include Ofcom, sector regulators, and NCSC

Statusactive

Key Takeaways

Healthcare IT suppliers processing NHS patient data carry the same UK GDPR obligations as healthcare organisations themselves — MFA and DPIAs are baseline requirements for critical health infrastructure suppliers, and supply chain security failures have direct patient safety consequences.