Ransomware Attack on Advanced Disrupts NHS Services: Lessons for Healthcare Cybersecurity in 2026
Last week, IT partner Advanced was hit by ransomware, disrupting NHS 111 and emergency services. Recovery efforts, led by Advanced with support from NCSC and Microsoft, are ongoing with services expected to be restored in 3-4 weeks.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-01
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In August 2022, Advanced, a major NHS IT provider, suffered a ransomware attack that disrupted critical health services across the UK. The attack remains one of the most significant cyber incidents ever recorded against UK healthcare infrastructure. By 2026, the attack has become a landmark case study for healthcare cybersecurity globally: the UK government subsequently enacted the Cyber Security and Resilience Bill, NHS organizations have accelerated legacy system modernization programs, and the Cyber Essentials certification has become a baseline requirement for NHS suppliers. Despite these advances, ransomware attacks on healthcare providers globally have continued to increase, with average ransom demands in healthcare exceeding $4 million by 2025.
The 2022 attack on Advanced disrupted NHS 111, out of hours appointment booking, ambulance dispatch coordination, and mental health care systems. Full restoration of all affected services took several months beyond the initial three to four week estimate. The attack exposed the NHS's structural dependency on a small number of large IT suppliers and accelerated sector-wide discussions about supply chain risk in healthcare IT. In 2026, NHS England requires all critical IT suppliers to demonstrate compliance with defined cybersecurity standards as a condition of contract, a direct policy response to the Advanced incident.
The Immediate Impact of the Attack
Advanced is responsible for multiple core systems within the NHS, with the NHS 111 service among its primary clients. As a result, the ransomware attack created bottlenecks across various healthcare services:
- Patient Dispatch Delays: NHS 111, which provides urgent healthcare guidance, experienced slowdowns in dispatching patients to appropriate care facilities.
- Emergency Prescriptions Affected: Prescription and medication services were also disrupted, potentially affecting timely patient care.
- Ambulance and Out-of-Hours Services Delayed: Ambulance dispatch and out of hours services were disrupted, resulting in delays and strained resources in emergency care.
Given the extensive reliance of NHS operations on Advanced’s systems, these disruptions highlight a weak link that could be exploited in similar attacks.
Advanced’s Response and Recovery Plans
In the face of this breach, Advanced coordinated with specialist cybersecurity firms to investigate and remediate the attack. As of August 10, Advanced confirmed that the National Cyber Security Center (NCSC) is actively supporting the ongoing investigation. While the initial breach has been contained, restoring full system functionality for NHS services remains a multi week effort.
Timeline for Service Restoration
According to Advanced’s latest update, the company is taking a phased approach to bring critical NHS services back online. For NHS 111 and other emergency services utilizing Advanced’s Adastra system, a gradual restoration process will begin soon. Full recovery for all NHS related operations, however, may take another 3-4 weeks, and contingency plans are advised during this period.
Government Response and the Need for Resilient Cybersecurity in Healthcare
The UK government’s attempt to downplay the ransomware attack as “minimal destruction” stirred controversy, especially given the clear operational disruptions across NHS services. This highlights a broader issue: governments and healthcare providers need to adopt a proactive stance on cybersecurity. Maintaining system resilience is critical not only for IT departments but for healthcare professionals and the patients they serve.
Healthcare institutions must prioritize:
- Cybersecurity Awareness Training to prepare employees for potential ransomware threats, as seen in attacks on other sectors.
- Incident Response Plans to handle breaches with a rapid, coordinated response, minimizing impact on essential services.
- Threat Intelligence and Monitoring to detect vulnerabilities in third party systems, such as Advanced’s platform, which can inadvertently affect an entire healthcare network.
Organizations can benefit from security awareness training to reinforce protective measures and prepare personnel for potential breaches. Advanced’s incident reflects the necessity for widespread cyber awareness and preparedness, given the frequent targeting of critical sectors by ransomware attackers.
The Importance of Contingency Plans
For NHS and other healthcare providers, the reliance on third party IT systems underscores the importance of robust contingency plans. With contingency measures in place, healthcare services can mitigate service disruptions and manage patient needs even when primary systems are compromised.
The Long Road to Full Recovery
For NHS providers, Advanced's phased recovery approach offered early reassurance, but the extended timeline to full restoration revealed how deeply embedded third party IT systems have become in healthcare delivery. In 2026, the incident continues to shape NHS supplier security requirements, incident response planning, and investment in healthcare-specific cybersecurity capabilities. Organizations that have not reviewed their supplier dependency and contingency arrangements since 2022 should treat this case as an urgent prompt to do so.
Editor's Note: This article was updated on June 1, 2026.
SHARE ON