The attack targeted Birmingham-based Advanced, which provides digital services for NHS 111, forcing much of the NHS to revert to pen and paper for weeks to maintain service continuity.

The Information Commissioner's Office (ICO) has provisionally ruled that Advanced breached data protection laws by failing to secure personal information belonging to nearly 83,000 individuals, whose medical records were stolen in the ransomware attack. Hackers accessed the company's system through an account lacking multi-factor authentication.

The stolen data included personally identifiable information, such as medical records, phone numbers, and advice on accessing the properties of 890 individuals receiving home care. There is no evidence that the stolen data has been published on the internet or dark web.

The ICO has issued a provisional fine of £6.09 million against Advanced, which is jointly owned by investment firms Vista Equity Partners and BC Partners. The final amount will depend on Advanced's response.

John Edwards, the UK's Information Commissioner, stated, "Not only was personal information compromised, but we have also seen reports that this incident disrupted some health services. For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security."

Illumio critical infrastructure director Trevor Dearing said the fine should serve as "a wakeup call" to all suppliers about the need to enhance their cyber resilience.

"Supply chain security remains a significant challenge within the NHS as shown by the recent Synnovis cyberattack. In fact, when we reached out to 213 NHS Trusts under the Freedom of Information Act 2000 in July 2023, more than a quarter of Trusts had not conducted audits on their third-party suppliers' cybersecurity measures," he said.