Trusts pursue tech firm for millions in cyber attack compensation

HSJ understands several mental health trusts are in discussions with technology firm Advanced over costs incurred from the outage of the Carenotes electronic patient record following the attack on the firm by hackers.

One trust – Devon Partnership Trust – estimates the impact of the outage will result in extra costs of more than £2m.

A source at national level said the trusts were being supported by NHS England with their remediation discussions with Advanced.

Speaking on an internal webinar of NHS mental health chief information officers – seen by HSJ – DPT’s CIO Raffael Sorribas confirmed they were in discussion with Advanced and their representatives about “how we might be recompensed” for all the costs incurred following the outage.

The cyber attack happened in early August and affected around a dozen NHS mental health trusts, as well as 111 and urgent and emergency services. Some trusts have still not regained access to Carenotes and have had to operate using paper records since the outage.

While reflecting on the trust’s response to the EPR incident, Mr Sorribas said the cost of manually recording, processing and presenting the data used since the attack was estimated at around £2.5m.

“Manual collection… would require 320 administrators and reduce clinical time to care by approximately 25 per cent,” he added.

Mr Sorribas said it would take up to six months to go through the “record recovery process”. The trust usually carries out around 10,000 “contacts” daily, each of which takes time to record. The trust has treated around 4,000 new patients whose data has had to be manually registered.

“We’re targeting to get data back to where it was by the end of the financial year,” Mr Sorribas said.

In addition, the outage has caused the trust to delay the implementation of a new electronic prescribing and medicines administration system and new medication dispensing cabinets.

Mr Sorribas praised the response from the NHS nationally, and the National Cyber Security Centre, but he said the involvement of a legal firm by Advanced had caused a less-than-hoped for level of transparency from a “customer perspective” – although he accepted this reflected the “serious nature of a vendor being attacked in this way and the implications of that”.

Advanced has previously confirmed that some data was “copied and exfiltrated”, although it said no patient data was taken.

The stolen data was held in the firm’s Staffplan and Caresys systems, which serve the domiciliary and care home sectors respectively.

DPT declined to comment further.

An NHSE spokeswoman said: “The NHS continues to support organisations impacted by Advanced’s software issues using tried and tested contingency plans, and to work with agencies across government to mitigate against future cyber threats in our supply chain.”

According to the regulator’s latest board papers – published this week – the cyber attack is “likely to have an ongoing impact on data over the next quarter as services restore routine practices and backload historic data”.

Advanced was approached for comment.