HSE hack: Cancer patients could not be treated, and x-ray systems went offline
The PriceWaterhouseCooper report for the HSE reveals that cancer patients were particularly affected, as their large treatment teams usually rely on the NIMIS imaging system. Stock picture
Cancer patients could not be treated during the cyberattack on the HSE, and hospital records were so disrupted that patients had to dig out old appointment letters to prove their identity.
In one startling case, a surgeon was left so confused they phoned a GP to ask where a patient expected for surgery was, only to be told the operation had already taken place.
Even people waiting on new child benefit payments or passports were affected as the HSE email system was down, cutting off communication with the General Register Office.
Women attending four maternity hospitals using the Maternal & Newborn Clinical Management System data system needed to have paper files created for them, including at Cork University Maternity Hospital.
These are just some of the direct impacts on patients from the cyberattack by a Russian ransomware gang in May this year. A report compiled by PWC for the HSE and published yesterday spells out the extent of the attack.
Cancer patients were particularly affected as their large treatment teams usually rely on the NIMIS imaging system which allows for easy sharing of X-rays and other images online. This went offline, with some patients, including from Cork University Hospital, sent to private providers instead.
The report also found NIMIS relies on Windows 7, with âover 30,000 outdated Windows 7 legacy systemsâ supporting key clinical systems. The HSE have said Windows 7 was not a factor in the attack, but it is understood they are updating NIMIS to move to Windows 10.
Â
Thousands of operations were cancelled, but the report states that separating the impact on patients from that of the pandemic and staff shortages is challenging. It states there is still âincomplete dataâ, and cites âthe difficulty in separately identifying the impact of the incident from other issuesâ.
However, senior HSE officials, including CEO Paul Reid, have said there were no deaths directly attributed to delays despite initial fears sharing handwritten records between laboratories and doctors might lead to errors.
There was one confirmed release of patient data relating to 520 people, again despite fears of wider issues. One of the first legal cases on foot of this was lodged in July against the Mercy University Hospital on behalf of a male cancer patient.
The report says the HSE did quickly inform relevant authorities once the attack hit, and a court order to prevent publication and sharing of patient data was given. A ransom demand for $20m (âŹ17.7m) in bitcoin was not paid, the Government has said, although a decryption key was eventually released.
The report acknowledges the challenges of running an unwieldy system â covering hospitals, community care, and external providers â which includes old networks, some of which predate the HSEâs formation in 2005.
However, although it notes that staff quickly found workarounds for problems, it states: âHSE business continuity plans did not envisage a severe but plausible total IT loss scenario for a period of weeks". Â
Staff burnout was noted frequently during interviews conducted by PWC, with many referring to the strain of the cyberattack in the middle of a pandemic.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
