A ransomware gang is threatening to release three terabytes (3TB) of NHS Dumfries and Galloway data following a recent ‘focused cyberattack’.

The INC ransomware group posted a ‘proof pack’ on its dark web site yesterday claiming to have infiltrated the health board’s systems.

The ‘announcement’ comes after NHS Dumfries & Galloway – one of Scotland’s 14 regional health boards – reported a cyber incident on March 15. It confirmed this afternoon that the ‘confidential patient data’ belonged to them, but NHS Ayrshire & Arran data also appeared among the screenshots.

In an announcement, alongside the ‘scot.nhs.uk’ web address, the gang said: “3 terabytes of data will be published soon.

The leaked data appeared to include lab results for a two-year-old child, and patients being treated for obesity and vascular disease – with names, dates of birth and addresses.

“NHS Scotland currently employs approximately 140,000 staff who work across 14 territorial NHS Boards, seven Special NHS Boards and one public health body. Each NHS Board is accountable to Scottish Ministers, supported by the Scottish Government Health and Social Care Directorates,” the gang wrote, appearing to have copied and pasted corporate NHS Scotland information.

“Territorial NHS Boards are responsible for the protection and the improvement of their population’s health and for the delivery of frontline healthcare services. Special NHS Boards support the regional NHS Boards by providing a range of important specialist and national services.”

According to SOCRADAR threat analysts, the group ‘appears to carefully select its targets, often aiming at entities with substantial financial resources and sensitive data’, with their attack methodology ‘combining initial access through spear-phishing or exploiting vulnerabilities, such as CVE-2023-3519 in Citrix NetScaler’.

NHS Dumfries and Galloway said it was ‘aware that clinical data relating to a small number of patients has been published by a recognised ransomware group’, adding: ‘This follows a recent focused cyberattack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.’

NHS Dumfries and Galloway Chief Executive Jeff Ace said: “We absolutely deplore the release of confidential patient data as part of this criminal act.

“This information has been released by hackers to evidence that this is in their possession.

“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government and other agencies in response to this developing situation.

Patient-facing services continue to function effectively as normal. As part of this response, we will be making contact with any patients whose data has been leaked at this point.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

A Police Scotland spokesperson added: “Enquiries are ongoing.” 

According to cyber threat intelligence firm KELA, based in Tel Aviv, the group has claimed over 60 victims on its website, mostly from the US, since 2023. Most of the victim companies were from the professional services sector.

KELA revealed also that network access to NHS Scotland was being sold on the dark web in July 2023, but because of the lapsed time ‘we can assess with medium confidence that it’s not related to the current attack’.