The NHS Appraisal Toolkit website could have been vulnerable to hackers 'for years', say its developers.

The website's supplier, the Sowerby Centre for Health Informatics at Newcastle (SCHIN), said it did not know how long security vulnerabilities that forced the site's closure last month had existed.

But it reassured GPs that regular testing of the nine-year-old site had mitigated any risk to personal data.

SCHIN chief executive Professor Ian Purves defended the DoH's decision to close the website after criticism from GPs.

He said the DoH acted correctly to protect data belonging to the site's 27,000 users. 'This situation is an example of good practice,' he said.

The DoH said it conducts quarterly security checks on its websites, but it is unclear how often these checks were made before mid-2009 when current IT security plans were adopted.

The DoH said it has 'no reason' to suspect other DoH sites shared this vulnerability.

Many GPs have complained about the timing of the closure, with appraisals needing to be completed by the end of March.

Hampshire GP Dr Caroline Kennedy-Cooke wasted several hours uploading data for her appraisal only for the site to close. 'It would have been much better to have had more notice - 24 hours would have allowed a back-up,' she said.

The DoH apologised but said this would have increased the likelihood of a security breach.

GPs also criticised the three-week downtime required to fix the site. Security expert David Harley, a former NHS IT manager, said: 'Three weeks is a long time to close down for a security check ... but it's not necessarily a "negative".'

The DoH did not confirm if a major overhaul of site security was needed, but Mr Harvey said it could take three weeks or more to develop a fix, especially if there were 'significant coding errors'.

Exeter GP Dr Adrian Midgley called the website unsatisfactory, and called for details of the fault to be made public.