The unidentified hackers were able to gain access to the information by using a customer's account that did not have sufficient protection in the form of multi-factor authentication.
The regulator's investigation concluded that Advanced did not have appropriate security measures in place prior to the incident.
The cyberattack led to the disruption of critical services including NHS 111, and left some healthcare staff unable to access patient records.
Software used to facilitate patient check-ins was also impacted.
Last year, the regulator criticised Advanced over the incident, which placed "further strain" on a "sector already under pressure".
While the company had installed multi-factor authentication across many of its systems, "the lack of complete coverage" was criticised by Information Commissioner John Edwards.
"The security measures of Advanced's subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information," Mr Edwards said.
He added the fine should serve as a "stark reminder" to organisations to ensure they have "robust security measures in place".
"There is no excuse for leaving any part of your system vulnerable," Mr Edwards added.
Last year, the ICO announced it intended to impose a provisional £6m fine on Advanced for the breach.
However, the watchdog said the sum had been halved because of the proactive engagement of Advanced with police, cyber security services and the NHS following the attack.
