Staff unable to access patient files after Eastern Health cyber attack

“It is looking like he will probably have his entire toe amputated this week, but if they had known earlier, it probably would have just been the tip of his toe that needed to be amputated,” Ms Hayes said.

“I have been at the Box Hill hospital with him and the staff are beside themselves because they have to handwrite everything with pen and paper. The doctors and nurses are so stressed and it is really distressing for them and for the patients and their families.”

Category one elective surgeries – for patients who enquire treatment within 30 days – have continued at the health service as planned, but category two and three surgeries for less serious medical procedures were postponed.

Category two surgeries are procedures that need to happen within 90 days and that cause pain or disability, but are unlikely to escalate to an emergency. This could be something like a standard heart valve replacement. Category three surgeries include procedures such as hysterectomies and hip and knee replacements.

Loading

An Eastern Health spokeswoman said on Monday the “criminal attack had caused significant disruption” to the health service, with many systems remaining offline.

To date, it does not appear that any private patient data has been accessed. The spokeswoman said some elective surgeries resumed as of Monday morning and the health service was now providing two-thirds of scheduled outpatient clinic appointments.

“Extensive work continues to be undertaken with the support of the state and federal governments alongside IT experts,” she said.

“Staff and patient safety remains our number one priority.”

“We sincerely apologise for the delay and inconvenience this situation is causing many of our staff patients and broader community.”

Ms Hayes said her son was booked in for surgery at Box Hill Hospital later this week, but she was worried about other patients like him, who had complex needs, and may not be able to verbalise their medical histories.

“My biggest concern is that there will be other people like my son who won’t be able to tell the doctors or nurses looking after them what the problem is and somebody could die,” she said.

An Eastern Health spokeswoman said despite the IT challenges posed by the cyber attack, the health service’s “business continuity plans ensured this patient’s care information was correctly managed.”

She added that Eastern Health had processes in place help with the care of all non-verbal patients, including making contact with appropriate support people.

Loading

The Eastern Health cyber attack came less than two weeks before Media giant Nine Entertainment Co was hit by a major cyber attack hit in the early hours of Sunday morning.

The Australian Parliament also continues to investigate a potential cyber attack in Canberra on Sunday evening affecting government-issued smartphones and tablets.

“This really is the new normal, what we are experiencing is how it is going to be into the future,” RMIT University cyber security professor Matthew Warren said.

“Part of the issue is the fact there isn’t one perpetrator behind these attacks. It could state-based actors, criminal gangs or hackers.”

In 2019, a spate of major Victorian health services fell victim to cyber hacks, with ransomware attacks causing chaos at Barwon Health, Gippsland Health Alliance and South West Alliance of Rural Health.

The same year, a sophisticated cyber crime syndicate also hacked and scrambled the medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital and demanded a ransom.

“Hospitals are attractive targets, not just in Australia, but around the world because of the private data they hold,” Professor Warren said.

“Part of the problem with hospital is that with the money they have ... the resources go into medical help as you would expect, so it means their IT systems don’t get the same level of funding or attention.”

Professor Warren predicted governments will soon play a far greater regulatory role in protecting industries, like healthcare systems, which are of national importance, from the threat of cyber security breaches.

Eastern Health has been contacted for further comment.