Blog
Compliance
NHS DSPT
March 3, 2026
Approx 4 min read

What Happens When Healthcare Organisations Don't Comply: The Real Cost of Getting It Wrong

Compliance enforcement in UK healthcare is no longer a distant concern for large NHS trusts. In 2025, the ICO collected seven times more in fines than it did across the whole of 2024, from less than half the number of cases. The average penalty jumped from roughly £150,000 to over £2.8 million. A patient death has been officially linked to a ransomware attack. And the regulatory direction is clear: fewer warnings, higher consequences.

If you manage a pharmacy, dental practice or GP surgery, the enforcement actions of the past 18 months are directly relevant to your risk profile. The failures that triggered these penalties were not exotic or sophisticated. They were basic security controls that were not in place, and governance requirements that were not met. The same gaps exist in thousands of healthcare SMBs across the UK today.

Capita: £14 Million for Failing to Respond to Its Own Security Alerts

In October 2025, the ICO imposed a £14 million fine on Capita after a March 2023 cyber attack that exposed the personal data of 6.6 million people. The breach affected 325 organisations, compromising pension records, staff data, criminal records, financial information and special category data. In 890 cases, the stolen data included details of how to access the homes of vulnerable people receiving care.

The attack started when a malicious file was downloaded onto an employee device. A high priority security alert was raised within ten minutes. Capita took 58 hours to quarantine the device. During that window, the attacker escalated privileges, moved laterally across multiple domains and exfiltrated nearly a terabyte of data before deploying ransomware.

The ICO found that Capita's security operations centre was understaffed and had been routinely missing response targets for months before the incident. Penetration testing had flagged the vulnerabilities on at least three separate occasions, but findings were siloed within business units and not remediated across the network. The initial proposed fine was £45 million. It was reduced to £14 million after Capita admitted liability and entered a voluntary settlement. The ICO's starting point before mitigating factors had been £58 million.

Advanced: £3 Million and a Precedent for Processors

In March 2025, the ICO fined Advanced Computer Software Group £3.07 million following a 2022 ransomware attack. Advanced provides IT and software services to the NHS, including systems supporting NHS 111. The breach compromised data belonging to 79,404 individuals, including sensitive health information and, for 890 people receiving home care, details of how to gain entry to their properties.

Hackers gained access through a customer account that lacked multi-factor authentication. The ICO found gaps in MFA deployment, insufficient vulnerability scanning and inadequate patch management. The initial proposed fine was £6.1 million, halved through a voluntary settlement.

This case is significant because it was the first time the ICO imposed a monetary penalty on a data processor under the UK GDPR. Previously, enforcement had focused on data controllers. The ICO's Deputy Commissioner stated explicitly that there is no longer any excuse for not deploying MFA across all external connections, and warned that organisations can expect fines to increase in similar cases. For healthcare practices that rely on third-party IT providers, this shifts the risk picture. Your processor's failures are now directly enforceable, and regulatory action against a processor does not relieve the controller of its own obligations.

Synnovis: When Cyber Attacks Cost Lives

On 3 June 2024, the Qilin ransomware group attacked Synnovis, a pathology services provider for several NHS trusts in south-east London. The attack crippled IT systems across the organisation, disrupting blood testing, diagnostic services and pathology results for hospitals, GP practices and community services across six London boroughs.

The scale of disruption was severe. Over 10,000 acute outpatient appointments were cancelled. More than 1,700 elective operations were postponed at King's College and Guy's and St Thomas' NHS Foundation Trusts, including nearly 200 cancer-related procedures. The attack caused a blood shortage locally and put national blood stocks under pressure as healthcare providers were forced to use O-negative blood due to limitations on blood matching. By January 2025, the financial cost was estimated at over £37 million.

Nearly 600 patient safety incidents were linked to the attack, including 170 that directly affected patient care, two cases of severe harm, and over 120 low-harm incidents. In 2025, King's College Hospital NHS Foundation Trust confirmed that a patient died unexpectedly during the attack, with the safety investigation identifying the cyber-related delay in blood test results as a significant contributing factor. It is the first confirmed patient death linked to a ransomware attack in the UK.

The hackers reportedly demanded $50 million and subsequently published stolen data on the dark web, including names of patients with cancer and details of sexually transmitted infections. An estimated 900,000 patients may have had data stolen. Seventeen months after the attack, the data review was still ongoing.

DSPT Non-Compliance: Losing Access to the Systems You Depend On

The DSPT submission deadline for 2025-26 is 30 June 2026. Organisations that fail to submit, or that submit below the required standard, face documented consequences that directly affect day-to-day operations. Loss of access to NHSmail, e-Referral, the Summary Care Record and other core NHS systems has been recorded in previous cycles. For a pharmacy dispensing NHS prescriptions, a GP surgery handling referrals, or a dental practice using NHS patient pathways, even a temporary loss of system access creates immediate operational problems.

Version 8 of the DSPT has raised the bar with updated requirements across all sector categories. Pharmacies, GPs, dentists and opticians face revised Outcomes, Assertions and Evidence items. The alignment with Clinical Assurance Framework v3.4 adds another layer of rigour. Practices that scraped through previous versions may find that their existing approach no longer meets the standard.

CQC and GPhC: Where Compliance Gaps Show Up in Inspections

Data security and governance failings do not exist in isolation. They surface during regulatory inspections. CQC reports for dental practices and GP surgeries have repeatedly cited data governance and cyber security weaknesses as factors in poor ratings. The GPhC's pharmacy inspection framework includes governance and data handling criteria that map directly to DSPT and GDPR obligations.

A Requires Improvement or Inadequate rating triggers additional scrutiny, conditions on registration, and in serious cases, enforcement action. The cascading effects are commercial as well as regulatory. Poor inspection outcomes affect patient confidence, staff recruitment and the practice's ability to engage with NHS commissioning bodies.

The Commercial Case for Getting Ahead of This

The pattern across every enforcement action of 2025 is the same: basic controls were not in place, known vulnerabilities were not remediated, and reactive response was inadequate. The ICO has been explicit that fines will continue to increase for organisations that fail to implement foundational security measures. The Synnovis incident has made the patient safety argument in terms that no healthcare provider can ignore.

For pharmacies, dental practices and GP surgeries, the cost of compliance through the Naq and VoIP Shop partnership is a known, fixed number. The cost of non-compliance is not. It ranges from system access loss and operational disruption through to ICO enforcement, inspection failures and, in the worst case, patient harm.

VoIP Shop's team already supports thousands of healthcare customers. Through the partnership with Naq, they can now assess which compliance frameworks apply to your practice and put you on a clear path to meeting them. One conversation, fixed pricing, no ambiguity. The enforcement landscape has changed. Make sure your practice has changed with it.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
The Next Step In DSPT Compliance: A Look At Version 7 Of The Toolkit
April 24, 2024
Compliance
ISO 27001
NHS DSPT
DCB 0129
The AWS Outage and What It Means for HealthTech Compliance
October 28, 2025
Compliance
NHS DSPT
NHS DTAC
The Commercial Role of DSPT and DTAC in NHS Sales
February 16, 2026
Compliance
NHS DSPT
NHS DTAC
DCB 0129
Navigating Healthcare Compliance in 2024: Key Developments and Emerging Requirements
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy