Summary
The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.
The cyber attack had extensive repercussions, impacting the systems for dispatching ambulances, booking out-of-hours appointments, and issuing emergency prescriptions.
In a provisional ruling, the ICO stated that the software provider violated data protection laws by failing to secure personal information for 82,946 individuals.
These records were stolen in a ransomware attack by hackers who accessed Advanced's computer systems through an account that lacked multi-factor authentication (MFA).
Typically, MFA would have prevented cyber criminals from using stolen passwords to gain access.
The stolen data included sensitive information such as phone numbers, medical records, and details on how to access the properties of 890 people receiving home care.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Vendor GDPR in Clinical Trials: What the IQVIA CNIL Ruling Changes for Sponsors and Healthtech Companies
On 26 May 2026 the CNIL fined IQVIA Operations France EUR 5 million for failures in its two authorised health data warehouses, LRX and EMR. The decision exposes weaknesses in CRO data protection practice that have direct consequences for every pharmaceutical sponsor relying on a CRO to process patient, prescription or trial data. This article unpacks the four areas of failure, explains why pseudonymisation no longer offers the cover many sponsors assume, and sets out a practical oversight checklist for sponsor data controllers.
EU AI Act for Healthcare: What Life Sciences Companies Need to Know before August 2026
EU AI Act 2026 healthcare enforcement requires immediate compliance to avoid penalties.
Navigating US Regulatory Requirements for AI-Powered Medical Devices: A Comprehensive Guide to FDA, HIPAA, and IRB Compliance
US AI medical device compliance requires navigating FDA, HIPAA, IRBs, and consent waivers strategically.
FAQs
Our frequently questions