Attack on third-party software vendor disrupts NHS ambulance services

NHS ambulance from the South Central Ambulance Service being charged in a facility, with the service's logo in the foreground
(Image credit: Getty Images)

NHS ambulance services in the south of England have been impacted by a security incident at a third-party service provider, with systems knocked offline and staff unable to access records. 

South Western Ambulance Service Foundation Trust (SWASFT) and the South Central Ambulance Service Trust (SCAS), have both reported that staff have been forced to rely on paper records following the incident. 

The source of the disruption has been traced to an attack on Ortivus, a Swedish third-party software provider for the trusts. 

Both ambulance services use the firm’s MobiMed software, which provides real-time information sharing for paramedics “throughout the pre-hospital care chain”. 

The software is used by more than 12,000 paramedics across Europe and the UK, including hundreds of ambulances across the two trusts. 

Last week on 18 July , the Swedish company confirmed it had fallen victim to a cyber attack that targeted its data center environment. 

The firm revealed that electronic patient records were unavailable and that users would be forced to use manual systems “until further notice”. 

Ortivus insisted at the time that no patients had been “directly affected” by the incident, adding that “no other systems have been attacked and no customers outside of those in the hosted data center have been affected”. 


A whitepaper from ServiceNow covering how to lay a strategic foundation for cloud security that protects what matters to your business

(Image credit: ServiceNow)

Choosing the right technology to strengthen cloud security and risk management

Get started on finding an automated solution that addresses your key security concerns.


In a follow-up statement on 21 July, the firm said that it was “ready to re-initiate” MobiMed electronic patient records for customers that were affected by the attack. 

Ortivus noted that it was awaiting “final approval by NHS authorities before the ambulance trusts can reconnect”.

“Ortivus can announce that the MobiMed ePR system that was hit by the previously reported cyber attack is ready to be re-initiated for the affected customers as an interim live environment has been constructed using new equipment,” the firm said. 

“Before the system can be brought into operation it has to be approved and verified by an independent actor to ensure that the system meets certain criteria indicated by NHS England and the Ambulance Trusts.”

Exact details on the scale of the attack, or those responsible, are yet to be confirmed by Ortivus. Similarly, whether patient data has been directly exposed as a result of the attack is yet to be confirmed. 

An NHS spokesperson told ITPro it was aware of the incident and that it was working with the affected trusts. 

“We are aware of an incident affecting a small number of ambulance services. Our Cyber Security Operations Centre is working with affected organizations to investigate, alongside law enforcement colleagues, and supporting suppliers as they work to reconnect the system.”

Lucrative targets in healthcare

This attack marks the second major cyber-related disruption for NHS services in the space of a month. 

In early July, the Barts Health NHS Trust was struck by a cyber attack believed to have been carried out by the BlackCat ransomware group. 

The trust was cited on the group’s dark web victim blog in the wake of the incident with claims that several terabytes of sensitive data had been compromised. 

This included “confidential documents” such as financial details and copies of passports and driving licenses, the group claimed. 

Spencer Starkey, VP of EMEA at SonicWall, said the incident serves as a stark reminder that healthcare organizations are viewed as prime targets for highly sophisticated and aggressive hacker groups. 

“The recent heinous attack on the UK NHS ambulance service is one of many reminders of the threat the healthcare industry currently faces,” he said. 

“Cyber criminals are actively targeting the most critical aspects of our society. In this digital era, the abundance of servers and processing power has created an ideal environment for cyber criminals seeking systems to exploit for their own gain.”

Despite the increased targeting of healthcare organizations globally, research from ENISA has shown that many still employ lackluster defenses to counter growing threats. 

Its analysis of the healthcare industry in the EU found that only 27% of organizations have a dedicated ransomware defense program. 

Similarly, nearly half (40%) told the cyber security agency that they have “no security awareness program for non-IT staff”, which could be exacerbating risks. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.