Case Study: How a UK Software Supplier Halved a £6m Fine After a Major NHS Data Breach

Written By Alexander Delaney

In 2022, a ransomware attack on a key NHS software provider disrupted critical national services and exposed the data of nearly 80,000 people.

The company faced a potential fine of over £6 million from the Information Commissioner's Office (ICO). But after a rapid overhaul of its security posture, the final penalty was reduced by almost 50%.

This case reveals what happens when foundational controls are missing — and what regulators expect when things go wrong.

Read more about data protection in regulated industries

What Happened

Company: Advanced Computer Software Group Ltd
Role: Data processor for NHS and other public sector clients

In August 2022, cybercriminals accessed Advanced’s systems via a compromised customer account.

The impact was immediate and significant:

  • Critical disruption to NHS services
    NHS 111 and other urgent care platforms were taken offline. Staff couldn’t access patient records, forcing some teams to revert to pen-and-paper systems. One doctor described the situation as "immense confusion and chaos."

  • Serious exposure of personal data
    The personal information of 79,404 individuals was compromised, including sensitive health data and entry instructions for 890 vulnerable people receiving in-home care. This raised not just privacy concerns, but physical safety risks.

The ICO Investigation: What Failed

The ICO investigation revealed multiple basic failures in Advanced’s security controls:

  • Incomplete multi-factor authentication (MFA)
    MFA wasn’t consistently enforced across systems. The attackers gained access through a customer account that lacked this critical layer of protection.

  • No structured vulnerability scanning
    The company had no mature process to regularly identify and fix weaknesses in its systems, leaving known risks unaddressed.

  • Unpatched critical vulnerabilities
    The compromised server was still exposed to the “ZeroLogon” vulnerability despite national alerts and clear guidance to apply the fix.

The ICO stated that Advanced had:

fallen seriously short of what we would expect from an organisation processing such a large volume of sensitive information.
— Information Commissioner John Edwards

Read more: Ransomware on the Rise

The Response: A Full Overhaul

Rather than wait for judgement, Advanced acted quickly to contain the damage and demonstrate accountability. Their recovery plan included:

  • Full rollout of multi-factor authentication (MFA)
    MFA was extended to cover all user accounts and external access points, closing the gap that attackers had exploited.

  • Ongoing vulnerability management
    They implemented continuous scanning across infrastructure to detect and remediate threats proactively, not reactively.

  • Formal patching process for critical systems
    A structured, organisation-wide policy was introduced to ensure timely updates for all known vulnerabilities.

  • Direct coordination with national authorities
    Advanced worked closely with the NCSC, National Crime Agency, and NHS to manage impact, communicate with stakeholders, and support those affected.

These efforts showed a clear commitment to remediation. The ICO ultimately reduced the proposed fine from £6.09 million to £3.07 million. A strong signal that transparency, urgency, and corrective action can influence regulatory outcomes.

What You Can Learn From This

Even large, regulated suppliers get this wrong. This breach underlines some core truths about data protection:

  • MFA is baseline, not optional
    Regulators now treat multi-factor authentication as a minimum requirement. If it’s missing, even on one system, you're leaving the door open.

  • You’re accountable, even as a processor
    Handling someone else’s data doesn’t protect you from liability. The ICO made it clear: processors are directly responsible for their controls.

  • Due diligence isn’t a checkbox
    Whether it’s your internal team or a supplier, you need clear ownership, defined responsibilities, and evidence that the right controls are in place.

  • You can’t fix what you’re not monitoring
    Without structured scanning and patching, vulnerabilities pile up. Mature security posture means treating this as continuous, not periodic.

  • Your response can change the outcome
    Fast, transparent engagement with regulators and stakeholders won’t erase a breach, but it can reduce the damage, protect your reputation, and lower financial penalties.

Not Sure Where to Start?

Whether you're trying to close compliance gaps, reduce risk exposure, or just get a clearer picture of where you stand, we can help.

We work with commercial teams, IT leaders, and in-house compliance roles to identify weak spots and build practical, defensible data protection strategies.

You don’t need to be audit-ready tomorrow. But knowing your risks is the first step.

Download the Essential Data Protection Checklist to help identify gaps in your setup in ten minutes.

Or book a free consultation to see how we can help secure your data setup.

 
Alexander Delaney
Next

What to Look for in a Cloud Security Partner