Software Vendor Attack Slows Down 2 UK Ambulance Services

Healthcare
,
Industry Specific

Paramedics Can’t Access NHS Patient Records, Resort to Using Pen and Paper

Marianne Kolbasuk McGee (HealthInfoSec) •
July 26, 2023    

A cyberattack last week against a Swedish software and services vendor has reportedly severed access to digital health records for at least two National Health Service ambulance services in the United Kingdom. Paramedics have resorted to using pen and paper to manage patient information.

See Also: Webinar | Securing Telemedicine and the Future of Remote Work in Healthcare

In a statement posted on its website, Ortivus, which is based in Danderyd, Sweden, said a cyberattack on July 18 had affected U.K. customers using the company’s MobiMed ePR electronic patient record systems within the firm’s hosted data center environment.

A subsequent undated update by Ortivus said the company was awaiting the go-ahead from NHS officials to initiate an interim IT system during the recovery process.

The NHS customers affected by the incident include South Western Ambulance Service Foundation Trust or SWASFT and South Central Ambulance Service Trust or SCAS. Combined, the two serve about 12 million people across England, according to U.K. news site Computing.

A SWASFT spokeswoman on Wednesday referred Information Security Media Group to NHS England, which she said is coordinating the response. Neither NHS England nor Ortivus immediately responded to ISMG’s requests for information about the incident and the status of recovery.

Ortivus said in its updated statement that since July 20 the company had been ready to initiate MobiMed ePR electronic patient records as an “interim live environment” using new equipment for its British customers who had been affected by the recent cyber incident.

But the company added it was awaiting final approval by NHS authorities before the ambulance trusts can reconnect. “Before the system can be brought into operation it has to be approved and verified by an independent actor to ensure that the system meets certain criteria indicated by NHS England and the Ambulance Trusts,” Ortivus said. “This external analysis is ongoing and is expected to be finished at the beginning of next week.”

In the meantime, paramedics can use the MobiMed ePR application locally on their computers, Ortivus said. “However, they will not be able to import or export patient data before the approval has been received.”

Ortivus said in its statement that no other IT systems have been attacked and no customers outside of those in the hosted data center have been affected by the incident.

The Ortivus incident is the latest cyberattack involving a third party that has affected the NHS, including emergency medical services and patient data.

Last year, several local NHS units across the U.K., including NHS 111 urgent care services, experienced IT outages for weeks stemming from a ransomware attack on software vendor Advanced, which contracts with the British government to provide digital services for NHS 111 (see: Ransomware Attack Caused NHS Outage, Says Vendor).

A recent cyberattack against the U.K. University of Manchester compromised sensitive personal information of about 1.1 million NHS patients, including trauma patients and victims of terrorism. The breach also affected students and alumni (see: Trauma, Terrorist Victim Data Breached in University Attack).