The UK’s data protection watchdog plans to fine Advanced Computer Software Group £6.09 million ($7.7 million) for failings that led to a 2022 ransomware attack affecting NHS healthcare services. Nearly 83,000 people had their data stolen, causing significant disruption, including NHS non-emergency phone operators reverting to pen-and-paper operations. The Information Commissioner's Office (ICO) emphasised that the penalty is provisional, pending Advanced’s response. The attack was attributed to LockBit, exploiting a customer account without multi-factor authentication (MFA) to breach the systems. Personal data of 82,946 individuals was stolen, including phone numbers, medical records, and sensitive information about access to the homes of vulnerable individuals. While Advanced found no evidence of this data being published online, the potential risk was severe. Information commissioner John Edwards stressed the importance of prioritising information security, highlighting the distress caused by losing control of sensitive data and the disruption to healthcare services.