British company Advanced has been fined £3.1 million (approximately $4 million) by the United Kingdom's privacy regulator, the Information Commissioner’s Office (ICO), due to a significant ransomware attack that occurred in August 2022. This penalty, announced on Thursday, March 27, 2025, comes after the company initially faced a fine of £6 million but reached a voluntary settlement with the ICO.
The ICO's investigation revealed that Advanced's security failings had put the personal information of 79,404 individuals at risk. The ransomware attack, believed to be orchestrated by the LockBit group, exploited a customer account that lacked multi-factor authentication. This breach led to severe disruptions, including the shutdown of the NHS 111 service, which is critical for triaging urgent medical calls. In the aftermath, healthcare staff were forced to revert to pen and paper to carry out their duties, prompting a crisis management meeting within the British government as officials grappled with the potential impact on patient care.
According to John Edwards, the Information Commissioner, "The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information." He emphasized that while Advanced had implemented multi-factor authentication across many systems, the lack of comprehensive coverage allowed hackers to breach their defenses.
The ICO's findings detailed that the personal information taken during the attack included sensitive data on how to access the homes of 890 individuals receiving care at home. The ramifications of this incident were felt across the healthcare sector, with another ransomware attack affecting a pathology company leading to the postponement of over 5,000 acute outpatient appointments, including critical cancer treatments in London. Data on more than 900,000 individuals was subsequently published online by the cyber extortion group responsible for the attack.
In light of the increasing frequency of cyber incidents across various sectors, Edwards warned that organizations risk becoming the next target without robust security measures. He urged all organizations to secure every external connection with multi-factor authentication to safeguard the public and their personal information.
The British government is responding to this growing threat by planning to introduce a new Cyber Security and Resilience Bill aimed at addressing the disruptions caused by cyberattacks. This legislation is expected to expand existing laws to encompass more digital services and supply chains, in addition to enhancing mandatory incident reporting.
Meanwhile, in a separate but equally concerning development, New York Attorney General Letitia James has urged customers of the DNA testing company 23andMe to secure their data following the company's recent bankruptcy filing. This announcement came after 23andMe filed for bankruptcy on Sunday, March 23, 2025, amid declining demand for its services, which has led to widespread uncertainty about the company's future.
As a result, many users have taken to social media to share detailed instructions on how to delete their accounts as a precautionary measure. Shares of 23andMe experienced a dramatic decline, closing 11% lower at 65 cents on Tuesday, March 25, 2025, following a staggering 59% drop the previous day.
A spokesperson for 23andMe acknowledged that the company's website had experienced issues due to increased traffic but assured users that these problems had been resolved. The company, which provides saliva-based tests offering insights into ancestry and genetic health risks, has previously made over 30 agreements with various companies, including British drugmaker GSK, allowing access to its extensive database.
Adrianus Warmenhoven, a cybersecurity expert at NordVPN, described 23andMe's genetic database, which boasts over 15 million customers, as a "digital goldmine." He highlighted the potential risks associated with the company's financial distress, noting that genetic data is not merely personal information but a comprehensive blueprint of an individual’s biological profile. Warmenhoven warned that when a company goes under, this valuable data could be sold, leading to potentially severe consequences for consumers.
In light of these developments, 23andMe has stated that its bankruptcy process will not affect customer data storage or management. The company reassured users that their data will remain protected under its existing privacy policy unless new terms are presented. However, legal experts have raised concerns about the ambiguity surrounding the data management responsibilities of any new owners.
I. Glenn Cohen, director of Harvard Law School's Petrie-Flom Center, noted the uncertainty regarding whether a new buyer would need to offer consumers an opt-out option. Robert Klitzman, director of the Masters of Bioethics program at Columbia University, indicated that users might pursue legal action to protect their data, although the outcomes of such lawsuits remain unclear.
Last year, 23andMe was reported to have agreed to pay $30 million and provide three years of security monitoring to settle a lawsuit accusing it of failing to protect the privacy of 6.9 million customers whose personal information was exposed in a 2023 data breach. However, the company clarified that this settlement had not been unconditionally approved by the United States District Court for the Northern District of California.
Despite the ability to withdraw data from the company's website, Klitzman cautioned that this does not guarantee complete protection since 23andMe's business model has historically involved selling user data to biotech and pharmaceutical companies. He emphasized the permanence of genetic information, stating, "You can protect your financial information, such as your credit card number, if hacked, by getting a new card. But your DNA is permanent – you cannot change it... Better laws are therefore needed to ensure that companies adequately protect this valuable information."
California Attorney General Rob Bonta also encouraged customers to delete their genetic data, echoing James's concerns regarding 23andMe's financial instability. James advised users to review their account settings and withdraw consent for the storage of their saliva samples and DNA, even if they had previously agreed to allow the company and third-party researchers to utilize their data.
