Ambulance patient records system hauled offline for cyber-attack probe

UK trusts serving 12 million people affected as vendor awaits results of forensic investigation

Several UK NHS ambulance organizations have been struggling to record patient data and pass it to other providers following a cyber-attack aimed at health software company Ortivus.

In a statement, the Sweden-headquartered software vendor said it was subject to a cyber-attack on July 18 which hit UK customer systems within its hosted datacenter environment.

South Western Ambulance Service Trust and South Central Ambulance Service Trust moved to a hosted environment for Ortivus's MobiMed software following an agreement signed in 2020. Between them, they serve a permanent population of around 12 million people, although England's southwest peninsula enjoys an influx of more than 23 million visitors each year.

Neither NHS England nor the vendor denied these trusts are affected but declined to provide further information.

An insider close to the incident said staff at South Central Ambulance Service Trust had been forced to use pen and paper following the incident and were being warned about the possibility of phishing attacks.

Staff had been told efforts to patch servers, believed to be Microsoft Windows Server, were ongoing, the individual told The Register.

In a statement, Ortivus said: "The electronic patient records are currently unavailable and are until further notice handled using manual systems. No patients have been directly affected. No other systems have been attacked and no customers outside of those in the hosted datacenter have been affected."

MobiMed ePR (electronic patients records) is designed to help monitor and keep records in pre-hospital care as well as share vital parameters with other care providers.

On July 21, Ortivus said it was ready to relaunch MobiMed ePR for the hosted environment customers, but was waiting on "final approval by NHS authorities before the ambulance trusts can reconnect."

"Before the system can be brought into operation it has to be approved and verified by an independent actor to ensure that the system meets certain criteria indicated by NHS England and the Ambulance Trusts. This external analysis is ongoing and is expected to be finished at the beginning of next week," it said in a statement.

However, Ortivus CEO Reidar Gårdebäck told The Register he was unable to confirm when the third-party forensic analysis would be complete.

"That is ongoing as we speak, so to give an exact timeline is not possible at the moment because that depends on the forensic analysis of the incident itself," he said.

He said the alternative system was ready within 24 hours of the attack. A backup system was available for viewing patient records, but the cyber-attack "impacted integrations to other systems."

Gårdebäck said the company was not ready to discuss compensating trusts for the disruption to its services.

"Our focus now is just to restore the services and we're doing everything we can, with all our resources, to get the system up and running again. The discussion regarding compensation will be done later on," he said.

"We have no indication that any data has been stolen or lost. Of course, we are monitoring that."

Speaking on behalf of the affected trusts, an NHS England spokesperson said: "We are aware of an incident affecting a small number of ambulance services. Our Cyber Security Operations Centre is working with affected organisations to investigate, alongside law enforcement colleagues, and supporting suppliers as they work to reconnect the system." ®

More about


Send us news

Other stories you might like