Advanced, the software provider that supplies IT and data services for the NHS, is facing penalty of over £6.09 million after the NHS suffered a major cyber-attack that led to the theft of around 83,000 medical records.

The Information Commissioner’s Office (ICO) has been investigating the company since the breach happened on 4 August 2022.

The attack caused disruption to a wide range of health services, including the system used to dispatch ambulances, book out-of-hours appointments, and facilitate emergency drugs prescription.

The ICO said that the software provider breached data protection law as it failed to implement appropriate security measures to safeguard personal information belonging to NHS patients.

Records were stolen as hackers accessed Advanced’s computer system using an account which did not have multi-factor authentication (MFA), a security measure that is widely used to prevent unauthorised access to private data.

The stolen data included sensitive information like phone numbers, medical records, and property access information for around 890 patients receiving homecare.

The breach also caused disruption to critical services such as NHS 111, with staff being unable to access patient records.

Advanced reported that no evidence of any data being published on the dark web was found.

John Edwards, UK information commissioner, said that information security is crucial for organisations such as the NHS, which is “already under pressure” and has been “put under further strain” due to the incident.

He also encouraged all organisations to take fundamental measures to secure their systems, including regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

“Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations,” he added.

The news comes after the NHS suffered two new ransomware attacks this year.

In June, residents of the Scottish region of Dumfries and Galloway received a letter warning they had suffered a cyberattack resulting in sensitive data publication.

Earlier this month, another ransomware attack on a pathology service provider Synnovis heavily disrupted operations in multiple hospitals across London, impacting services such as blood tests or transfusions.

---