A south-west hospital said the crippling cyber attack that took multiple hospitals offline for nearly six weeks could have been avoided.
Portland District Health (PDH) health informatics director Clair Holt said the state government knew public hospital security systems were vulnerable to hackers months before it happened.
"It's not that we knew it was going to happen, but it was a case of being lucky that it hadn't happened yet," she said.
"After seeing the VAGO report we made recommendations to the Department of Health that we needed financial assistance to ensure our systems were adequate, and they hadn't been forthcoming in that time.
"All been indicated by the state government is that there will be a full, independent investigation in terms of what we could be doing better going forward."
Ms Holt's role is basically to oversee patient data, making her job one of the most stressful to be in when faced with the possibility that confidential patient information had be lost or stolen.
She said they were thankfully able to get on top of the cyber intrusion before that happened.
"The servers what were affected by the phishing email were identified pretty quickly," she said.
"To be honest we were just lucky that we were vigilant enough to realise something was going on in the network and quarantine the ransomware attack before any further systems were impacted.
"There was an element of quick-thinking that led to pulling the pin on a lot of those systems."
PDH is part of the South West Alliance of Rural Health (SWARH) network which was hit by the attack. The Gippsland Health Alliance was also attacked. South West Healthcare, Colac Area Health, Latrobe Regional Hospital and University Hospital Geelong are among the health services affected.
The hospitals' IT systems are expected to be fully restored by the end of this week, with all patient records already safe and in use.
South West Healthcare would not say if it expected to be online by the end of the week too.
So what actually happened? Ms Holt explains: "So what caused us to get the breach in the first place was a phishing attack through an email.
"What they did to make sure we were really safe was they essentially detached us from the external internet - the rest of the world.
"As they did that they worked their way through each server, there's hundreds of servers across the south-west region, and they had to check each one before they could reconnect internally.
"The ones that were compromised were taken well out of the system and were rebuilt. Then we had to put a number of things in place such as getting a higher virus and security check and changing our passwords."
During the first week after the cyber attack, specialist outpatient information in the consulting suites was on a server that was compromised.
"The information itself was safe but the machine it was on was unsafe and therefore it couldn't be accessed during the first week," Ms Holt said.
"We quickly established a replication and the database was rebuilt over the first week and then back in use."
After week one it was basically business-as-usual for the health service. Internal internet was working, electronic patient records were in working order. The biggest hurdle was not having access to email.
"While it's caused extra headaches on the admin side of things, as we had to chase results that would normally flow through automatically, it was about getting on phone, calling and getting them faxed, and that was fine," Ms Holt said.
"People with appointments that first week often had to wait while we retrieved their letters and results via paper, but their information was recorded and safe," she said.
"While they were securing and making sure everything was safe on the server, we could read all the notes and access them, once the server was verified, we have been back using our normal patient management system.
"It has been a cautious return to full access but we were able to flick to paper patient records quite quickly, which was previously standard practice."
During the last week of October PDH got access to internal emails and in the meantime had established alternatives through the use of dongles for people who needed to make contacts outside the hospital.
Programs that require external internet access have been steadily returning to use.
All emails will be recovered and existing email addresses will be retained.
Ms Holt said the silver lining to the attack was the opportunity to review systems and reliance on email.
"We will make sure we save attachments in safe places and that we have back-ups available," she said.
The Victorian Government is working with the impacted health services, Victoria Police and the Australian Cyber Security Centre to manage the incident in which the infiltration of ransomware blocked access to several systems.
More information about the issue can be found on the Department of Premier and Cabinets website www.vic.gov.au/cyber-health-incident
Have you signed up to The Standard's daily newsletter and breaking news emails? You can register below and make sure you are up to date with everything that's happening in the south-west.
Sign up for our newsletter to stay up to date.