HSE hack: Cancer patients could not be treated, and x-ray systems went offline

HSE hack: Cancer patients could not be treated, and x-ray systems went offline

The PriceWaterhouseCooper report for the HSE reveals that cancer patients were particularly affected, as their large treatment teams usually rely on the NIMIS imaging system. Stock picture

Cancer patients could not be treated during the cyberattack on the HSE, and hospital records were so disrupted that patients had to dig out old appointment letters to prove their identity.

In one startling case, a surgeon was left so confused they phoned a GP to ask where a patient expected for surgery was, only to be told the operation had already taken place.

Even people waiting on new child benefit payments or passports were affected as the HSE email system was down, cutting off communication with the General Register Office.

Women attending four maternity hospitals using the Maternal & Newborn Clinical Management System data system needed to have paper files created for them, including at Cork University Maternity Hospital.

Cancer patients particularly affected

These are just some of the direct impacts on patients from the cyberattack by a Russian ransomware gang in May this year. A report compiled by PWC for the HSE and published yesterday spells out the extent of the attack.

Cancer patients were particularly affected as their large treatment teams usually rely on the NIMIS imaging system which allows for easy sharing of X-rays and other images online. This went offline, with some patients, including from Cork University Hospital, sent to private providers instead.

The report also found NIMIS relies on Windows 7, with “over 30,000 outdated Windows 7 legacy systems” supporting key clinical systems. The HSE have said Windows 7 was not a factor in the attack, but it is understood they are updating NIMIS to move to Windows 10.

HSE also affected by pandemic and staff shortage  

Thousands of operations were cancelled, but the report states that separating the impact on patients from that of the pandemic and staff shortages is challenging. It states there is still “incomplete data”, and cites “the difficulty in separately identifying the impact of the incident from other issues”.

However, senior HSE officials, including CEO Paul Reid, have said there were no deaths directly attributed to delays despite initial fears sharing handwritten records between laboratories and doctors might lead to errors.

There was one confirmed release of patient data relating to 520 people, again despite fears of wider issues. One of the first legal cases on foot of this was lodged in July against the Mercy University Hospital on behalf of a male cancer patient.

The report says the HSE did quickly inform relevant authorities once the attack hit, and a court order to prevent publication and sharing of patient data was given. A ransom demand for $20m (€17.7m) in bitcoin was not paid, the Government has said, although a decryption key was eventually released.

Unwieldy and outdated systems

The report acknowledges the challenges of running an unwieldy system — covering hospitals, community care, and external providers — which includes old networks, some of which predate the HSE’s formation in 2005.

However, although it notes that staff quickly found workarounds for problems, it states: “HSE business continuity plans did not envisage a severe but plausible total IT loss scenario for a period of weeks".  

Staff burnout was noted frequently during interviews conducted by PWC, with many referring to the strain of the cyberattack in the middle of a pandemic.

More in this section

Puzzles logo

Puzzles hub

Text header

From florist to fraudster, leaving a trail of destruction from North Cork, to Waterford, to Clare, to Wexford and through the midlands ... learn how mistress of re-invention, Catherine O'Brien, scammed her way around rural Ireland.

Execution Time: 0.218 s