This site is intended for health professionals only

GPs sharing patient records in Word docs as cyber attack resolution ‘days’ away

GPs sharing patient records in Word docs as cyber attack resolution ‘days’ away

GPs working in urgent care are having to share patient records on Word documents as the fallout from last week’s cyber attack is still ongoing.

First highlighted by Pulse, parts of the NHS 111 service suffered a ‘total system outage’ last Thursday morning, following a ransomware attack.

System host Advanced, which was targeted in the ‘financially motivated’ attack, has said it will be able to phase services back online within the ‘next few days’.

An update sent to Liverpool GP practices, seen by Pulse, said appointment information will be sent in a ‘Microsoft Word document via secure email to your practice email account’.

The update recognised the situation is ‘not ideal’, but said it is more of a risk for GP practices not to see patient information from out-of-hours interactions.

It said: ‘We have agreed that clinical consultation information will be sent in the form of a Microsoft Word document via secure email to your practice email account.

‘This will allow practices to review key patient information and choose how to record that information in practice systems.’

It added: ‘Whilst this is not ideal, it is considered a lower risk to patient care than practices being unsighted on out-of-hours interactions.’

The update said that ‘North West 111 services are not affected directly by this issue’ but that ‘Merseyside GP out-of-hours service provided by Primary Care 24 (PC24) has been affected along with many across the country’.

While PC24 has been ‘operating effectively under business continuity measures’, it has ‘recently raised with us a concern that clinical interactions with the service are not being communicated to practices whilst systems are down’, the update said.

It added: ‘They have been able to record consultations and activity electronically, offering the ability to share this information via secure email.’

‘All practices [must] ensure that their email account is checked on a regular basis for receipt of the records,’ the update said, and practices will be informed as soon as there is ‘clinical system recovery allowing resumption of normal record transfer’.

Meanwhile, the 111 system host said normal service is due to be phased in in the ‘next few days’.

NHS 111 system host Advanced’s latest FAQs said: ‘With respect to the NHS, we are working with them and the National Cyber Security Centre to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. 

‘For NHS 111 and other urgent care customers, we anticipate this phased process to begin within the next few days. 

‘For other NHS customers, our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks.’

It confirmed that the cyber incident was a ransomware attack and said it believes this to be ‘purely financially motivated’.

Advanced said: ‘This was a ransomware attack conducted by a threat actor that we believe, based on threat intelligence provided to us from the authorities and our expert advisors to date, is purely financially motivated.’

The company could not confirm that patient data is not at risk, though it said ‘we have found no evidence that any personal data has been compromised’.

It said: ‘With respect to potentially impacted data, our investigation is underway, and when we have more information about potential data access or exfiltration, we will update customers as appropriate. Additionally, we will comply with applicable notification obligations.’

Urgent Health UK said: ‘Most of our members are facing difficulties but have used their business continuity systems to ensure that they are able to continue providing urgent care and other services to their patient populations. 

‘One of the consequences is that GP practices are no longer getting reports of contacts the following morning. To address it organisations are working to send the reports by email.’

It added that it is ‘very frustrating that this vulnerability has been exposed at this time, especially when it was signposted only recently’. 

Urgent Health UK also called for ‘national and local messaging to local populations’ so ‘people can understand what is happening and take extra care to use services appropriately’.

First revealed by Pulse, the 111 outage meant GPs in London were warned they could see an influx of patients signposted from the service.



Please note, only GPs are permitted to add comments to articles

Dylan Summers 11 August, 2022 12:02 pm

Rather worrying that such a critical service can be incapacitated for a week like this.

I was working OOH on Saturday morning. The quietest shift I can remember, presumably because 111 were struggling to send any patients to us.

Kevlar Cardie 11 August, 2022 2:38 pm

If it saves this GP from having to wade through the mental Gorilla-Glue Lido of a tightly typed 3 page tome from 111 telling me that a toddler with a simple tonsillitis: “hasn’t been bitten by a Malayan Pit Viper/ Hasn’t walked past an off license in the past 10 years/ hasn’t witnessed a UFO landing/ hasn’t taken an overdose of Mogadon etc, etc, etc… ad nauseum”…

then what’s not to love ?

David jenkins 12 August, 2022 10:16 am

i have been a gp since 1979.

i am 72, and still doing locums

unfortunately, because i’m “just a locum” the welsh nhs will not give me an nhs email address.

so – very sorry – but if the welsh nhs is depending on their “secure email system” for sending out more tripe for me to digest, then i shall not be able to assist if (or when) this lands in wales !

so i’m afraid it’s back to sorting out my 1939 wolseley, which is now actually on the road !

David jenkins 12 August, 2022 10:40 am

anyone else noticed all the sexy buzzwords ? how much are they paid to think this drivel up ?

total system outage = it’s broken

not ideal practices being unsighted on out-of-hours interactions.’ = we can’t tell you anything

clinical system recovery normal service is due to be phased in in the ‘next few days = we’re trying to mend it

validate the additional steps we have taken = making sure we’re mending it properly this time

threat actor = fraudster/criminal/hacker etc etc

we have found no evidence that any personal data has been compromised’ = we haven’t looked very hard in case we’re found to be liable

potential data access or exfiltration = hacking

update customers as appropriate = keep you in the dark as much as we can get away with (i.e. “mushroom syndrome” with a different name)

we will comply with applicable notification obligations. = we will try and avoid a penalty under the data protection regulations

signposted only recently = only just spotted it.

111 outage meant GPs in London were warned they could see an influx of patients signposted from the service = more shit coming your way, without any warning.

Dylan Summers 13 August, 2022 9:12 am

At the risk of sounding like one of Monty Python’s Yorkshiremen:

Word document?? If only!

We’re receiving digital photos of handwritten 111 triages at OOH this morning. It means we can’t even cut and paste details.