National Records of Scotland has confirmed that a ‘large volume’ of data has been accessed and published by hackers following a cyberattack on a Scottish health board.
The government agency, which holds Scotland’s national civic registration data, including births, marriages and deaths, was exposed to the hack on NHS Dumfries and Galloway.
Millions of files belonging to the health board were published on the gang’s dark web site earlier this month in a ‘signifiant’ breach that the board is still responding to – with the help of police and the National Cyber Security Centre.
Now, NRS has confirmed that ‘some of its data’ was also held on an IT network administered by the board, which fell victim to the hack by the INC ransomware gang in February.
NRS chief executive Janet Egdell said today: “We are aware that this will be distressing news for those individuals most directly affected. This is a live criminal investigation, and we are working closely with NHS Dumfries and Galloway, Police Scotland, Scottish Government and other agencies involved in the inquiry.
“NRS takes cyber security and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”
The agency, which has its headquarters in West Register Street in Edinburgh, said it holds information on the NHS Dumfries and Galloway IT network as it ‘runs an administrative service for the NHS to allow the transfer of patient records when people move between health board areas, across borders within the UK or move overseas.’
It said it has been assessing the stolen information through a ‘prioritised risk assessment process’ and has identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack. It is understood that fewer than 50 people are being written to because the information taken about them is considered to have the potential to “put them at risk of harm”.
The Information Commissioner, the data and privacy regulator, has also been contacted, the agency said.
The agency added: “Some information which comes from the statutory births, deaths and marriages registers was also accessed. This information is used to correctly identify patients and maintain the accuracy of the service.”
It said that the cyberattack caused ‘some initial disruption’ to the operation of the service but with the support of staff and partners it has been fully operational since shortly after the attack took place.
NHS Dumfries and Galloway released a fresh update yesterday following the incident, which raised fears of staff being targeted by identify theft scammers. They were advised to be on their guard and given access to risk-reducing measures.
The health board reiterated the message that the hackers did not access the primary records system for patients’ health information – the system used by GPs, containing people’s entire medical history in one location.
A spokesperson said: “Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from consultants to patients, letters between consultants, test results, x-rays, etc.”
The health board said also that the cybercriminals made ‘unspecified demands’ before publishing the three terabytes on May 6. It said also that other victims had fallen prey to the gang, and cited recent cyber intrusions affecting British and international government organisations.
The spokesperson added: “Leicester City Council was went through a very similar experience with this group at the same time, while other high-profile cyber attack victims include the Ministry of Defence, the United Nations and the British Library, as well as many private companies.