NHS Software Supplier Ransomwared – Gets a £3M Discount for Being Helpful?

Imagine this: your software supplier gets ransomwared. They lose control of sensitive patient data, including NHS trust information. Data goes walkies. Patient privacy? Toast. Operational integrity? Compromised. And the regulator? They fine them £4.4 million… then go, “Ah well, they were very cooperative—let’s knock £3 million off that, shall we?”

Welcome to cybersecurity accountability, 2025 edition: where good behaviour after a catastrophic failure is apparently enough to earn you a gold star and a drastically reduced penalty.

What Actually Happened?

Advanced, a British software firm that provides IT services to the NHS and others, suffered a ransomware attack in August 2022. This attack led to major disruption across NHS services, including patient referrals, mental health support systems, and even ambulance dispatch services.

You know—the sort of systems you might not want taken offline because someone clicked the wrong email.

But the real kicker? It wasn’t just disruption. It was data theft. The attackers exfiltrated personal data, including NHS trust information, from Advanced’s systems. Cue the usual parade of legal, technical, and PR gymnastics.

Fast forward to March 2025, and the Information Commissioner’s Office (ICO) handed down a £4.4 million fine for failing to implement appropriate security measures. Then—in what can only be described as Peak Regulator Energy—they slashed it by £3 million because Advanced had cooperated with the investigation.

So let’s get this straight: You preside over a total data security meltdown, and as long as you’re polite and helpful afterwards, you get a 68% discount?

Marvelous.

Let’s Unpack This Ridiculousness

This story has all the ingredients of a perfect storm:

• A critical supplier to the NHS, handling sensitive data.

• A ransomware breach that directly impacted patient care.

• Exfiltration of personal data.

• A fine that was supposed to reflect the seriousness of the failure… only to be chopped down like a Black Friday sale item.

And before you say “but they were victims too!”—yes, they were. But let’s be very clear: being attacked doesn’t absolve you of responsibility if you left the bloody door open.

We don’t let banks skip fraud controls just because they’re “trying their best.” We don’t let airlines forgo safety checks because they send a really nice apology letter after the engine catches fire.

So why are we giving IT suppliers—especially those trusted by the NHS—a slap on the wrist and a biscuit?

Let’s Talk Governance

At what point does actual security governance kick in? If you're a supplier handling national health data, you don’t just need antivirus and a firewall. You need:

• Real threat detection and response (hello, MDR)

• Encryption at rest and in transit

• Regular vulnerability scanning

• Patch management (not a ‘we’ll get to it eventually’ approach)

• Proper segmentation

• Least privilege access

• Pen testing

• Cyber Essentials Plus at an absolute minimum

Spoiler: That last one? Not optional. You don’t get to handle NHS data without proving you’ve locked down your stack.

And yet, we still see major suppliers operating with paper-thin security postures, propped up by a wing, a prayer, and someone’s cousin who “does a bit of IT”.

Here's the Bit That Really Gets Me…

How many SMEs do you think will take the wrong lesson from this? “Oh look, they got hacked and still got a massive fine reduction! So if it happens to us, we just need to grovel and cooperate?”

Let me be blunt: that only works if you’re a multimillion-pound supplier with lawyers and PR teams. If you’re a small business, and you lose customer data because you didn’t bother to do basic cyber hygiene? The ICO will not be knocking three million quid off your penalty. You’ll be lucky if they don’t knock your business into the ground.

And yet, we keep seeing the same cycle:

1. Supplier gets breached.

2. Everyone feigns surprise.

3. Data ends up on a dark web Telegram channel.

4. The ICO blusters.

5. A reduced fine is quietly announced with a “lessons will be learned” tagline.

6. Nothing changes.

Where’s the Stick?

There are zero consequences if regulators continue to reward companies for reactive behaviour rather than proactive security.

Let’s try this instead:

• Make Cyber Essentials Plus mandatory for all NHS suppliers.

• Add contractual penalties for breaches that cause service outages.

• Require independent annual audits (not self-assessments).

• And yes, if a supplier screws up massively, make that fine stick.

Because right now? The message is: don’t worry if you get breached—as long as you’re polite about it, you’ll get a discount.

But It’s Not Just Advanced

Advanced is just the latest in a long line of “whoops, our bad” vendors getting away with minimal damage. You could easily replace their name with any number of others who’ve quietly dodged responsibility over the last few years.

And here’s the thing MSPs, IT providers, and software vendors don’t want to admit: it’s not enough to be reactive.

Real security is boring. It’s about planning, budgeting, auditing, and enforcing. It’s about saying “no” when clients want insecure shortcuts. It’s about proving you’ve done the work before something goes wrong—not writing a teary blog post after the fact.

Final Thoughts (Before My Blood Pressure Spikes)

So what have we learned?

• Ransomware is still a massive risk.

• Governance in public sector supply chains is still not where it needs to be.

• The ICO, bless them, is still incentivising post-breach grovelling over actual preparation.

• And if you’re an NHS supplier, you should be absolutely ashamed if you're not fully certified, fully audited, and fully locked down.

For the rest of us in the IT world? Let this be a reminder:

🔒 Good security doesn’t just protect your clients—it protects your reputation.

💸 If you’re cutting corners, a breach is only a matter of time.

🛑 And no, you probably won’t get a £3M discount when it’s your turn in the spotlight.