Doctors were forced to keep patient records on pieces of paper and emails after a huge cyber attack crippled critical Scots NHS systems.
Health Secretary Humza Yousaf has been accused of suppressing details of the hack, despite fears confidential files for millions of people could have been stolen and treatment waiting times hit.
The ransomware attack, which crippled the Adastra system, blocked access to patient records for months, with some parts still not working today.
The security breach on August 4 has been described as one of the worst cyber attacks in the history of the NHS, affecting up to 5.5million patients across Scotland as well as services in England and Wales.
The National Cyber Security Centre and GCHQ are involved in the investigation, with speculation that Russian hackers, or more likely a gang of cyber criminals, are behind the incident.
MSPs have questioned why the Scottish Government and, in particular, Yousaf have failed to make any public statement on the attack or tell Holyrood of its impacts, including if any patient data was stolen.
NHS National Services Scotland (NSS) said there was “no indication” patient data had been compromised but, when asked to clarify, it was unable to give a definitive response.
Advanced, the firm which operates the Adastra software, was also unable to say if patient data was affected when asked last month. But the company said it was “monitoring the dark web as a belt-and-braces measure”, in case hackers had stolen patient information and tried to sell it online.
Adastra is patient management software which is supposed to allow access to patient care notes across all parts of the NHS, including out-of-hours GP services, A&E and NHS24.
The attack blocked access to patients’ records across Scotland, forcing medics to resort to keeping notes on paper or in email and Word documents for months.
Most of the services were back to normal by mid-October but one – Adastra remote – is still not working, which means mobile medics cannot update patient records.
It has also affected waiting times, with Scotland’s largest health board unable to provide data on out-of-hours waiting times between August and October. Other health boards are thought to have the same issues.
NHS Greater Glasgow and Clyde said the IT system was now “back in use, however not all aspects of the system are fully operational and there remains limited recording of some aspects of the
out-of-hours service”.
Paul O’Kane, Labour MSP for West Scotland, demanded that Yousaf make an urgent statement. He said: “The fact that neither the health minister nor NHS leaders have disclosed this serious cyber attack and the consequences simply beggars belief.
“It is shocking that systems are still not fully operational and there is a serious risk of a data breach concerning patients’ information, as well as an impact on waiting times and data.
“We need answers as to how many patients were affected, how long it will take until systems are fully restored and over the scale of the disruption to NHS business. We need transparency in order to have trust in our NHS– instead, Humza Yousaf has swept this whole episode under the carpet.”
The Scottish Government denied it covered up the attack, telling the Sunday Mail it was the responsibility of Advanced, the software owner, to provide information.
A spokeswoman said: “The incident was widely reported and all information is in the public domain. It is the responsibility of the supplier to confirm details – available online.
Core systems were fully restored and ongoing monitoring by Scottish Government resilience officials working closely with all relevant organisations is in place.”
NHS NSS, which provides services to all 14 NHS boards across Scotland, said boards were “working to update their electronic records as swiftly as possible” after keeping notes on paper during the attack.
Scottish Conservative Shadow Health Secretary Dr Sandesh Gulhane MSP said: “This appalling cyber attack caused huge inconvenience for already-overstretched frontline NHS staff and alarm to patients whose safety may have been compromised.
“As Health Secretary, it’s Humza Yousaf’s duty to explain to Scottish patients how this attack has impacted them, and hopefully allay their fears.
“It’s unacceptable that he’s made no public statement on this issue because people have a right to know definitively whether their personal details have been obtained by hackers.”
Asked why it had not issued any public statement, a spokesman said: “NHS NSS is responding on a national basis. In common with all NHS Scotland health boards, we are fully committed to transparency.”
Steven Flockhart, director of digital and security at NHS NSS, said: “NSS has worked with our fellow health boards and the supplier to successfully minimise the impact of the Adastra cyber attack.
“The rapid rollout of contingency planning ensured there was minimal impact on patients. The majority of affected services were restored within weeks. There is no indication of any patients’ details being compromised.
“We are working with colleagues across NHS Scotland to complete the final stages of restoring the few services that remain unavailable.”
Don't miss the latest news from around Scotland and beyond - Sign up to our daily newsletter here.
READ NEXT:
-
Doddie Weir: Nicola Sturgeon and Gavin Hastings lead tributes after death following MND battle
-
Scots woman whose hair turned grey at 16 ditches box dye to embrace silver locks
-
Scots twin babies defy the odds after being born three months premature
- Scots dad Brian Glendinning opens up on 'mental torture' of Iraq prison hell
- Hundreds of protestors take to Aberdeen streets in memory of Jill Barclay