NHS Scotland confirms ransomware attackers leaked patients’ data

NHS Dumfries and Galloway (part of NHS Scotland) has confirmed that a “recognised ransomware group” was able to “access a significant amount of data including patient and staff-identifiable information,” and has published “clinical data relating to a small number of patients.”

“NHS DG still holds the original files and they have not been altered or deleted. Some information has been copied and leaked. NHS DG will contact everyone whose information is known to have been leaked. We are still investigating how much information has been stolen. Unfortunately we cannot yet rule out that more information will be leaked in the future,” the board said.

What is known about the attack?

NHS Dumfries and Galloway is one of the 14 territorial boards operated by NHS Scotland, a healthcare system that’s part of UK’s publicly funded National Health Service.

On March 15, 2024, it suffered a cyber attack and let patients know that the attackers likely made off with patient-identifiable and staff-identifiable data.

The attack has been claimed by INC Ransom, a relatively new ransomware extortion operation, which claims to have compromised 3 terabypes of data.

On Tuesday, the group released a “proof pack” consisting of a handful of sensitive documents (reports, analysis results, and letters between patients and physicians), to incentivize the board to pay the ransom in exchange for keeping the stolen data under wraps.

Advice for affected individuals

“We absolutely deplore the release of confidential patient data as part of this criminal act. We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation,” NHS Dumfries and Galloway Chief Executive Jeff Ace said.

“As part of this response, we will be making contact with any patients whose data has been leaked at this point, and continue working to limit any sharing of this information. NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

The board counseled staff and patients to be on their guard for anyone accessing their systems, anyone making contact with them claiming to be in possession of any information, and to be cautious regarding their own online activity. “It is possible that stolen information could be used in an attack,” they added.

Finally, they reassured patients that their medical records have not been tampered with, that NHS Dumfries and Galloway is delivering care as normal, and that more information about the attack will be shared as the investigation progresses.

According to the Scottish Government, the ransomware attack hasn’t spread to the rest of NHS Scotland.