NHS Dumfries and Galloway has confirmed that patient clinical data has been leaked online by a ransomware group following the attack on its systems earlier this month.
The statement by the Scottish NHS Trust dated March 27, 2024, revealed that clinical data relating to a small number of patients has been published by a “recognized ransomware group.”
The trust acknowledged that in the cyber-attack, which it first reported on March 15, the hackers accessed “a significant amount of data including patient and staff-identifiable information.”
It follows a threat by the ransomware group Inc Ransom on its leak site that it will soon publish 3TB of data relating to NHS Scotland patients and staff unless its demands are met.
The threat actor also included a ‘proof pack’ in its post, which appeared to show a range of sensitive clinical documents, such as genetics reports and letters between doctors discussing patient treatments.
Trevor Dearing, director of critical infrastructure at Illumio, commented: “The methods used by INC Ransom are common among ransomware groups. Ransomware attacks against healthcare organizations are now multiple layers of extortion – cybercriminals will look to steal and leak sensitive data, as well as affect operational up-time. Stolen healthcare data can be sold on the dark web for a quick profit or used in identity fraud.”
NHS Helping Impacted Patients
NHS Dumfries and Galloway Chief Executive Jeff Ace said the service is making contact with patients whose data has been leaked at this point and will continue working to limit any sharing of this information.
“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population,” he commented.
Ace acknowledged that the information has been released by the attackers to prove it is in their possession. He made no reference to any ransom demand made by the group.
“We absolutely deplore the release of confidential patient data as part of this criminal act,” he said.
Ace added: “We are continuing to work with Police Scotland, the National Cyber Security Centre (NHS), the Scottish Government, and other agencies in response to this developing situation.”
Ace also emphasized that patient-facing services are continuing to function as normal.
Commenting on the story, Dr Ilia Kolochenko, CEO at ImmuniWeb, believes the nature of the data included in the ‘dump’ could cause potentially catastrophic consequences to some of the impacted patients.
“For instance, if an HIV status, sexual health or terminal cancer diagnosis is publicly revealed, it can ruin people's careers or even provoke suicide,” he noted.
Kolochenko added that such an extreme scenario may even justify the payment of a ransom, although he acknowledged that this would still not guarantee that the data would not be leaked elsewhere.
NHS Unlikely to Give into Ransom Demands
William Wright, CEO of Closed Door Security, said the leak by INC Ransom shows the attackers are frustrated they haven’t received a pay out yet.
However, he noted that such a payment is very unlikely to be forthcoming, given the UK’s government’s public stance against paying ransomware actors.
Wright said the attackers would be aware of this, suggesting their motivation could be purely to cause damage to the UK, rather than financial.
Healthcare in the Crosshairs of Ransomware Attacks
The attack on NHS Dumfries and Galloway follows a spate of ransomware incidents targeting healthcare organizations so far in 2024.
This includes the ongoing incident impacting US healthcare payment provider Change Healthcare, which has caused delays to patient care across the US, including medicine prescriptions.
It was reported that Change’s parent company, UnitedHealth Group, paid a $22m ransom to the BlackCat ransomware group to recover access to data and systems encrypted by the group.
In February 2024, the US government warned the healthcare sector that it has become the biggest target of BlackCat.
Erfan Shadabi, cybersecurity expert at comforte AG, said that the attack on the NHS Scotland Trust should trigger further alarm bells within the healthcare sector.
“It is difficult to grasp a situation in which 3TB of the most personal and sensitive health information is being stolen,” he stated.
Shadabi urged healthcare organizations to pause and consider their cybersecurity choices.
“Let’s not lose sight of the end victim, which is the individual whose private and sensitive health data wrongfully becomes public,” he outlined.
Matt Aldridge, Principal Solutions Consultant at Opentext Cybersecurity, acknowledged that cyber-incidents of this nature are posing huge risks to patient safety, operations and public trust in healthcare infrastructure.
“NHS Scotland is rightfully conducting a thorough investigation to determine the extent of the breach, to identify vulnerabilities in its systems, and take immediate steps to prevent further unauthorized access,” said Aldridge.
Healthcare often appears to be a relatively soft target for threat actors. For example, a report by Sophos in October 2023 found that data was successfully encrypted in 75% of ransomware attacks on healthcare organizations last year.
Image credit: Koshiro K/Shutterstock.com