Mental health trusts unable to access patient records after cyber attack

Twelve mental health trusts are still struggling to gain access to electronic patient records (EPRs) after a cyber security attack on the NHS in August.

Trusts that use the CareNotes EPR software supplied by Advanced have been unable to access parts of their EPR systems since the ransomware attack on 4 August. Some of the systems affected by the attack will not be fully available again until 2023, according to a report in Digital Health.

The affected trusts are:

• Mersey Care NHS Foundation Trust
• South London and Maudsley NHS Foundation Trust
• Coventry and Warwickshire Partnership NHS Trust
• Camden and Islington NHS Foundation Trust
• Cheshire and Wirral Partnership NHS Foundation Trust
• Devon Partnership NHS Trust
• Oxford Health NHS Foundation Trust
• Tavistock and Portman NHS Foundation Trust
• Sussex Partnership NHS Foundation Trust
• Camden and Islington NHS Foundation Trust
• Herefordshire and Worcestershire Health and Care NHS Trust
• Norfolk and Suffolk NHS Foundation Trust

The attack has disrupted patient care, and some trusts are now implementing replacement EPR systems.

Some trusts initially switched to using Microsoft applications as a stop-gap, but have now decided to move to an alternative interim EPR supplied by RiO for at least 12 months.  A source familiar with the incident told Digital Health that it was almost impossible to imagine trusts later returning to CareNotes.

A ‘critical patient safety issue’

When the ransomware attack happened, the NHS initially prioritised recovering the Initial Adastra system used by the NHS111 national emergency telephone support service. Most of it had been recovered by August 2022.

This has left mental health trusts still struggling, however. Community services, social care providers and care homes have also been disrupted.

An anonymous NHS digital leader told Digital Health that the now-unavailable EPR systems include “crucial data such as medication details for patients or details such as whether a patient is a potential danger to themselves and others.” The source said it was a “critical patient safety issue“ and that it had been “hugely disruptive.”

The source questioned why mental health trusts had not been given high priority and why the ongoing disruption from the attack was not a national news story.  “You can’t help but think that if this was a group of acute trusts this would be getting national front-page coverage and would have been sorted by now,” they added.

NHS trust board papers from September make plain the extent of the disruption to NHS services. The September report of the CEO of Oxford Health NHS Foundation Trust to the board states: “This ongoing cyber incident has placed a huge burden on colleagues across Oxford Health, many of whom have worked considerably in excess of their contracted hours in order to deliver services.” 

The September board papers at Camden and Islington  state: “From early August, the Trust’s electronic patient record, known as CareNotes, has not been available. This is part of a wider national issue with the system provider, Advanced, being subject to a ransomware attack, which led to a national decision to suspend many of the systems it provides across the NHS and beyond. This incident has affected many other NHS organisations nationally and is being coordinated by NHS England at national level.”