NHS Supplier Breaches: How Third-Party Incidents Cascade into NHS Disruption
Advanced — one of the NHS's largest clinical software providers — suffered a ransomware attack in August 2022 that took its Adastra patient triage system offline for weeks, disrupting NHS 111 services across England. Synnovis in 2024 showed the same pattern: a supplier breach with direct, immediate impact on patient care. These incidents illustrate a fundamental challenge for NHS cybersecurity: the NHS's clinical operations are deeply dependent on third-party suppliers whose security posture is often invisible to the trusts and ICBs that rely on them.
The 2022 Advanced/Adastra attack disrupted NHS 111 triage services across England for over six weeks — affecting millions of patient contacts.
The Advanced Ransomware Attack: What Happened
In August 2022, LockBit ransomware operators attacked Advanced — a major provider of clinical software to the NHS, including Adastra (used by NHS 111), Caresys (care home management), and Odyssey (clinical decision support). The attack brought down multiple NHS systems simultaneously and disrupted 111 call handling across England. The ICO subsequently fined Advanced £3.07 million — the first time a data processor (rather than data controller) had been fined under UK GDPR — for failing to implement appropriate security measures including multi-factor authentication on all systems accessing health data. The case established that processors bear real regulatory responsibility for NHS data security failures.
What NHS Organisations Should Demand from Suppliers
The Advanced case made clear that NHS organisations must actively manage supplier security rather than passively assuming it. Practically, this means: requiring evidence of Cyber Essentials Plus certification for all clinical system suppliers; contractually requiring MFA on all systems accessing NHS data; including the right to audit supplier security in all contracts; requiring suppliers to notify you within 24 hours of any incident affecting NHS systems or data; and using continuous attack surface monitoring (Panorays, deployed by Kyanite Blue) to maintain visibility of supplier security posture between contract renewals. The ICO has signalled that NHS commissioners who fail to include these requirements in supplier contracts may themselves face scrutiny following a supplier-caused breach.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.