The UK’s data protection regulator has confirmed that NHS vendor Advanced will be required to pay a fine of just over £3 million ($3.8 million) for failing to implement basic security measures prior to a ransomware attack in 2022. This decision was made by the Information Commissioner’s Office.

This fine is half of the initial amount that the Information Commissioner’s Office had originally intended to impose in August 2024, which was more than £6 million due to Advanced’s security shortcomings.

According to the ICO, Advanced violated data protection laws by not fully implementing multi-factor authentication before the breach occurred, allowing hackers to use stolen credentials to gain access and steal personal information of tens of thousands of individuals across the UK.

The LockBit ransomware attack on Advanced resulted in extensive disruptions to NHS services, including patient data systems maintained by Advanced on behalf of the NHS.

Advanced has issued a statement confirming that the matter has been settled. However, when contacted by TechCrunch, the company declined to provide a spokesperson for further comment.