The NHS is struggling to recover electronic patient records (EPRs) for a group of 12 mental health trusts after the most disruptive cyber security attack on the health service since Wannacry.

Trusts reliant on the CareNotes EPR software supplied by Advanced have not been able to use their systems for over two months since the supplier was hit by a ransomware attack on 4 August 2022, and has left them unable to access key patient medical records.

For those trusts affected, the aftermath of the attack has proved far more difficult to recover from than the Wannacry attack in 2017, with key systems and patient data remaining unavailable. Digital Health understands that some systems affected by the ransomware attack will not be available until 2023. 

The 12 trusts that had been running CareNotes are: 

  • Mersey Care NHS Foundation Trust 
  • South London and Maudsley NHS Foundation Trust 
  • Coventry and Warwickshire Partnership NHS Trust 
  • Camden and Islington NHS Foundation Trust 
  • Cheshire and Wirral Partnership NHS Foundation Trust 
  • Devon Partnership NHS Trust 
  • Oxford Health NHS Foundation Trust 
  • Tavistock and Portman NHS Foundation Trust 
  • Sussex Partnership NHS Foundation Trust 
  • Camden and Islington NHS Foundation Trust 
  • Herefordshire and Worcestershire Health and Care NHS Trust 
  • Norfolk and Suffolk NHS Foundation Trust 

Trusts have reported that the incident has had a “huge impact” on staff and disrupted patient care. In some cases, complete replacement EPR systems are now having to be rapidly implemented. 

Now, faced with continuing to have no access to key systems, some trusts which had initially switched to using Microsoft applications as a stop-gap, have taken the decision to switch entirely to an alternative interim EPR system supplied by RiO for at least 12-months.  A source familiar with the incident said that it was almost impossible to imagine trusts later returning to CareNotes.   

Initial priority was given to recovering the Adastra system used by the NHS111 national emergency telephone support service, with the system largely recovered by August 2022. 

One anonymous NHS digital leader questioned why similar priority was not given to mental health trusts. Community services, social care providers and care homes have also been disrupted. 

“The EPR systems and patient records that have been unavailable include crucial data such as medication details for patients or details such as whether a patient is a potential danger to themselves and others, it’s a critical patient safety issue and it’s been hugely disruptive,” they said.

They went on to question why mental health trusts had not been given high priority and why the ongoing disruption from the attack was not a national news story.  

“You can’t help but think that if this was a group of acute trusts this would be getting national front-page coverage and would have been sorted by now,” they added.

Extent of the disruption is revealed

The extent of the disruption to NHS services has been revealed in a series of September trust board papers detailing the impact of the incident on mental health and physical health services.   

September board papers from Oxford Health NHS Foundation Trust state that the loss of CareNotes on 4 August 2022 was initially classified as an IM&T [information and technology] Serious Incident but was upgraded to a trust wide Critical Incident on 9 August 2022. 

A report from the CEO states: “This was a national incident affecting a number of other NHS organisations. The vast majority of the Trust’s clinical services along with a number of financial services were impacted and as a result a variety of business continuity measures were put in place in keeping with our emergency response protocols. The outage extended to both mental health and physical health services. 

It added: “This ongoing cyber incident has placed a huge burden on colleagues across Oxford Health, many of whom have worked considerably in excess of their contracted hours in order to deliver services.” 

The September board papers at Camden and Islington, meanwhile, state: “From early August, the Trust’s electronic patient record, known as CareNotes, has not been available. This is part of a wider national issue with the system provider, Advanced, being subject to a ransomware attack, which led to a national decision to suspend many of the systems it provides across the NHS and beyond.

“This incident has affected many other NHS organisations nationally and is being coordinated by NHS England at national level.” 

Camden and Islington declared a critical incident and implemented business continuity plans, including using Sharepoint. But to provide a longer-term interim solution the trust is switching to the RiO EPR for a minimum of 12 months from the end of September.    

The first affected trust due to be recovered was meant to be Coventry and Warwickshire Partnership NHS Trust and the trust’s September board papers note of the attack: “Measures are in place to ensure care records can be maintained in the interim, although this has absorbed significant operational and clinical capacity to address.”

The impact and disruption caused by the attack was also noted in South London and Maudsley’s September board papers, which referred to a national outage with a supplier.   

“At the time of writing, we are working with our third-party supplier to bring ePJS [SLAM’s patient record system] back online within the framework of a robust recovery plan, but unfortunately we cannot give precise timescales at the moment,” the papers state.

NHS England has declined to answer any questions on the incident or ongoing attempts to recover from it. Trusts affected meanwhile, when approached by Digital Health News have also declined to comment saying it was being dealt with by NHS England.