Advanced / NHS 111 ransomware attack
A LockBit 3.0 ransomware attack on NHS software supplier Advanced took down the NHS 111 triage service and forced clinicians back to pen and paper, exposing data on tens of thousands of patients and drawing a £3.07 million ICO fine.
- Victim
- Advanced (Advanced Computer Software Group)
- Loss
- $27.0M
- records
- 82.9K
- users
- 82.9K
On 4 August 2022, Advanced, a major software and hosting supplier to the UK's National Health Service, was hit by LockBit 3.0 ransomware in an attack that rippled across British healthcare and forced clinicians back to pen and paper.
What happened
The attackers gained entry through a customer account that lacked multi-factor authentication, then deployed LockBit 3.0. Advanced detected the intrusion on 4 August and immediately pulled part of its infrastructure offline to contain the spread.
That containment, while necessary, knocked out hosted clinical systems including Adastra — used by roughly 85% of NHS 111 services to triage urgent but non-emergency calls — along with Carenotes, Caretaker, Crosscare, Odyssey, and Staffplan. The disruption was severe enough that the UK government convened a COBR crisis meeting, fearing the impact on patient care as staff resorted to manual record-keeping.
Impact
- The NHS 111 triage service and multiple community and mental-health systems were disrupted for weeks while Advanced restored services.
- Attackers exfiltrated data before encryption. The ICO later confirmed that personal data — phone numbers and medical records — of 82,946 people was taken, including details of how to gain entry to the homes of 890 people receiving care at home.
- Advanced reported spending roughly £18.3 million on remediation, with further costs in the following financial year.
Regulatory action
In August 2024, the ICO announced its provisional intent to fine Advanced £6.09 million, finding the company had failed to implement appropriate measures — notably comprehensive multi-factor authentication and timely vulnerability scanning — before the attack. In March 2025, the ICO finalised a reduced penalty of £3.07 million, reflecting Advanced's cooperation and the voluntary settlement.
Why it matters
The Advanced incident is a defining UK example of healthcare supply-chain risk: a single hosting supplier's compromise cascaded into a national emergency-triage outage, demonstrating how concentrated dependence on one vendor can endanger patient safety. The absence of MFA on a single account as the entry point made it a recurring case study in NHS and ICO guidance on supplier security and basic access controls.
Financial impact
Reported costs in USD
- Fines & settlements$3.9M
Timeline
Advanced detects the LockBit 3.0 ransomware attack and pulls part of its infrastructure offline; NHS 111 and other health services are disrupted.
The NHS triggers a COBR crisis meeting as clinicians revert to pen and paper across affected services.
It is confirmed the attackers exfiltrated client data, including patient records, before encryption.
The attack is publicly confirmed as LockBit 3.0, entering via a customer account without multi-factor authentication.
The ICO issues a provisional intent to fine Advanced £6.09 million for security failings.
The ICO finalises a reduced fine of £3.07 million against Advanced.
Sources
- therecord.mediahttps://therecord.media/advanced-fined-3-million-ransomware-attack-ico
- computerweekly.comhttps://www.computerweekly.com/news/366599880/Advanced-faces-fine-over-LockBit-attack-that-crippled-NHS-111
- theregister.comhttps://www.theregister.com/2022/10/14/nhs_software_hosting_provider_advanced_ransomware_lockbit/
- digitalhealth.nethttps://www.digitalhealth.net/2022/10/client-data-exfiltrated-advanced-nhs-cyber-attack/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/uk-fines-software-provider-307-million-for-2022-ransomware-breach/