National Records of Scotland (NRS) has revealed that sensitive personal data it holds was accessed and published as a result of the ransomware attack on NHS Dumfries and Galloway.
The NRS data was part of 3TB of data published by cybercriminals on the dark web on May 6.
The Scottish Government agency, which stores demographic and census records such as births, deaths and marriages, said it identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack, which was first reported in March 2024.
This data was held on the NHS Dumfries and Galloway IT network because the NRS runs an administrative service which allows the transfer of patient records when people move between health board areas, across borders within the UK or move overseas.
Additionally, some information from statutory births, deaths and marriages registers was also accessed in the data leak. This information is used to correctly identify patients and maintain the accuracy of the service.
Less than 50 people have had information taken about them that is considered to have the potential to put them at risk of harm. These individuals have been contacted by the NRS.
NHS Patients and Staff at Risk of Identity Theft
In March, a ‘proof pack’ of clinical and personally identifiable information of patients and staff was posted by the Inc Ransom gang on its leak site, with the group threatening the publish the rest of the data unless its demands were met.
The Scottish NHS Trust did not meet the attackers’ “unspecified demands,” resulting in the rest of the data being released, the service stated in an update on May 21.
“No interaction has been entered into with those responsible for the cyber-attack,” it noted.
Following an analysis of the published data, the Trust said the information accessed and published about staff puts them at an increased risk of identity theft.
It also determined that the cybercriminals did not access the primary records system for patients’ health information.
Instead, they accessed “millions of very small, separate pieces of data.” This included highly sensitive clinical and personal information about patients, such as individual letters from consultants to patients, letters between consultants, test results and x-rays.
The Trust warned patients and staff to be on guard for unsolicited communications and the risk of identity theft. “Given that the stolen data has now been made public on the Internet by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web,” it wrote.
Millions of documents are now being analyzed to find identifiable individuals with ‘high-risk’ data.
Due to the scale of the stolen data, the Trust said it is likely the majority of its communications about the breach will continue to remain general, rather than targeted to specific people.
No details have yet been given about how the attackers were able to access NHS Dumfries and Galloway’s IT systems because the incident is the subject of a criminal investigation by Police Scotland, who have determined that these details are specialist knowledge, the Trust stated.