Cyber attack on IT supplier hits two major ambulance trusts

Staff at two UK ambulance services have been forced to fall back on traditional analogue systems to carry on working after access to patient record systems hosted by a third-party supplier was disrupted in a cyber attack of an undisclosed nature.

The services in question are the South Western Ambulance Service NHS Foundation Trust and the South Central Ambulance Service NHS Foundation Trust, both users of MobiMed, a system operated by Sweden-based Ortivus.

Between them, the two services cover patients across a swathe of southern England, from Cornwall to Buckinghamshire, taking in communities including Bath, Bournemouth, Bristol, Exeter, Milton Keynes, Oxford, Plymouth, Reading, Southampton and Swindon.

Ortivus said its systems came under attack on the evening of Tuesday 18 July, affecting UK customer systems within its hosted datacentre environment.

“The electronic patient records are currently unavailable and are until further notice handled using manual systems. No patients have been directly affected. No other systems have been attacked and no customers outside of those in the hosted datacentre have been affected,” said the organisation’s CEO Reidar Gårdebäck in a statement.

“Ortivus are currently working in close collaboration with the affected customers to restore the systems and recover data. The affected customers are the ones using MobiMed ePR, electronic patient record systems in a hosted environment.”

Gårdebäck said the group that carried out the cyber attack had not been identified. The incident has been reported to the necessary law enforcement agencies.

The affected service, MobiMed, is described as a “modular platform” to connect and enable real-time information sharing across the pre-hospital care chain, and is supposedly in use by over 12,000 paramedics in 2,700 ambulances.

Its modules comprise MobiMed Monitor, a monitoring solution to measure and share patients’ vital health data, such as electrocardiogram (ECG) information, in transit; MobiMed ePR, an electronic patient record solution; MobiMed enRoute, which assists in case management and vehicle navigation; and MobiMed Life, which is a line of standalone defibrillators. The impacted service is understood to be MobiMed ePR.

Ortivus did not directly confirm the identity of the affected ambulance services, but had previously announced the transition of both trusts to a new hosting environment after they renewed their contracts in 2020.

An NHS spokesperson said: “We are aware of an incident affecting a small number of ambulance services. Our Cyber Security Operations Centre is working with affected organisations to investigate, alongside law enforcement colleagues, and supporting suppliers as they work to reconnect the system.”

Ortivus additionally said it had been ready to restart the service in an interim live environment within 48 hours, however, it was waiting for the replacement system to be approved and verified to be certain it meets the NHS’s strict security criteria. This process can be somewhat time-consuming; following a LockBit ransomware attack on a software supplier in 2022, affected NHS bodies took over a month to get back on their feet while the rebuild process was validated and verified by both the NHS and the National Cyber Security Centre (NCSC).