Data privacy fears: GPs sharing records on Word after cyber attack

Data privacy fears as GPs are sharing patient records on Word documents via email following cyber attack — and they could be ‘easily intercepted’ by hackers

  • Major NHS IT provider Advanced suffered ransomware attack last Thursday 
  • It has left some key services such as access to patient records disrupted 
  • GPs are receiving patient records via Word docs sent to their email address 

GPs are sharing patient records on Word documents via email amid ongoing disruption due to the NHS cyberattack.

There are concerns the move could risk patient privacy. 

Advanced, a major IT provider to the health service, are being held ransom by hackers amid concerns millions of confidential records could be affected.

Blackmailers are asking for money in return for not leaking confidential data, leaving the NHS without access to key services in the meantime.

GP practices have now been forced to access vital patient information via Microsoft Word documents sent to their NHS email.

Patient rights groups warned that the emails could be ‘easily intercepted’ by hackers and puts patients at risk.

They hit out at the over-reliance of digital-only systems in the health service, which leaves it vulnerable to future attacks.  

Hackers have issued demands to an IT firm that supplies NHS trusts after it was hacked last week, it was claimed today. Pictured: The company Advanced’s Adastra software that is used by 85 per cent of NHS 111 providers in England

Cyber criminals targeted a firm that supplies IT to NHS providers last week.

Software company Advanced, which provides patient data to dozens of trusts and 85 per cent of NHS 111 providers in England, was hacked last Thursday.

Advanced’s Adastra software, one of the systems that was attacked and is used by NHS 111, covers 40million patients, according to the company. 

Affected NHS 111 call handlers currently do not have access to the GP records or NHS numbers of people ringing the non-emergency service.

They are also unable to make electronic bookings with GPs or send out ambulances for patients while the Adastra software is still offline.

GP notes, mental health records and patients’ unique NHS numbers may have been stolen in the attack. 

The criminals also hacked the company’s Carenotes EPR software, which holds mental health records.

Affected mental health trusts warned staff are currently facing a ‘pretty desperate’ situation, still unable to access vital patient records.

An update to GP practices in Liverpool, seen by the family doctor magazine Pulse Today, states data-sharing methods is ‘not ideal’ but medics being blind to the information is a greater risk.

The letter states: ‘We have agreed that clinical consultation information will be sent in the form of a Microsoft Word document via secure email to your practice email account.

‘This will allow practices to review key patient information and choose how to record that information in practice systems.’

It added: ‘Whilst this is not ideal, it is considered a lower risk to patient care than practices being unsighted on out-of-hours interactions.’

The update told medics to regularly check their emails to make sure they have received the records until they are told the usual ‘clinical system’ is working again.

Dennis Reed, director of Silver Voices, a campaign group for the over-sixties told MailOnline warned emails containing patient information can be ‘easily intercepted’ by hackers intent on doing so. 

He said: ‘There is increasing over-reliance on digital-only systems and there are not sufficient back-ups if they system is hacked or sabotaged.’ 

This is making the UK a ‘haven for hostile states’, as the lack of paper documentation is making the ‘crown jewels available for hostile states to create mischief’, Mr Reed said.

‘What happens if all or a group of patient data is deleted? Doctors would lose access to vital information such as allergies and medical history,’ he said.

More needs to be done to protect patient information and protect against attacks on NHS system as ‘if they can interfere with 111 the same cane be done for 999 too’, he added.

Rachel Power, Chief Executive of the Patients Association, told MailOnline: ‘The sharing of patients’ information between care institutions is essential to delivering joined-up care that works for the patient, and that’s important. 

‘If services are having to use different systems because of a cyber attack, then it’s essential that this is done with all appropriate safeguards to ensure that sensitive information remains confidential.

‘It’s important that the NHS explains to patients what is happening and how their data are being protected, and if there’s anything they could or should be doing to protect their sensitive health information.’

An NHS England spokesperson said: ‘While Advanced has confirmed that the incident impacting their software is ransomware, the NHS has tried and tested contingency plans in place including robust defences to protect our own networks, as we work with the National Cyber Security Centre to fully understand the impact.

‘The public should continue to use NHS services as normal including NHS 111 for those who are unwell, although some people will face longer waits than usual, as ever if it is an emergency, please call 999.’

An Advanced spokesperson said files are only ‘requested, created and distributed in a secure way’, with customers requesting data from its portal and then being sent a link to a platform to collect the data. 

Advanced first spotted the ransomware attack at 7am on August 4 and worked to contain the hackers, who are understood to be seeking a financial award.’

It said there is ‘nothing to suggest’ the NHS is at further risk of malware spread.

In an update on Wednesday, the IT company said it is working to bring affected NHS services back online within the next few days.

The affected services include Adastra, which allows emergency care staff to make GP referrals, dispatch ambulances and share patient records with other NHS staff.

Caresys and Carenotes, which are used for care home management.

An anonymous NHS pharmacist this week told the BBC that the attack meant they were unable to read patients medical history, forcing their team to make ‘clinical decisions nearly blind’.

An NHS internal memo, leaked to The Guardian, warned the cyber attack ‘presents significant challenges’ to the health service and fixing the problems arising from the incident — such as manually typing up paper notes — ‘may take some time’. 


More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack in May 2017.

Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.

NHS officials claimed 47 trusts were affected – but the National Audit Office (NAO) found the impact was far greater, and in fact 81 were hit by the attack.

When the attack started on May 12, it ripped through the out-of-date defences used by the NHS.

More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May

The virus, which spread via email, locked staff out of their computers and demanded £230 to release the files on each employee account.

Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. 

Locked out medics had to rely on pen and paper, while crucial equipment such as MRI machines were also disabled by the attack.

The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals even had to divert ambulances away at the peak of the crisis.

Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7, that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.

NAO claimed the cyber attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus beforehand, with ‘critical alerts’ being sent out in March and April.

Foreign Office minister Lord Ahmad confirmed the attack was carried out by the notorious North Korean cyber espionage group Lazarus. 

Computer systems in 150 countries were caught up in the incident, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid. 

The Department of Health said that from January 2018 hospitals will be subject to unannounced inspections of IT security.  

Source: Read Full Article