Millions of files belonging to a Scottish health board have been dumped on the dark web by hackers.
Sensitive documents including confidential patient data at NHS Dumfries & Galloway has been uploaded to a ransomware blog following a weeks-long extortion attempt by cybercriminals.
The haul, amounting to 3 terabytes of data, is now fully live and accessible using specialist Tor browser software – in what appears to be one of Scotland’s largest cyberattacks to date.
The information, seen by Futurescot, appears to include folders containing multiple files dating back to 2015.
Records belonging to individual patients across a range of treatment areas – including breast cancer care and cardiac rehabilitation – are among data exposed by the INC ransomware gang.
Julie White, NHS Dumfries and Galloway chief executive, said: “This is an utterly abhorrent criminal act by cybercriminals who had threatened to release more data.
“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.
“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”
She added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website now available.
“Data accessed by the cybercriminals has now been published onto the dark web – which is not readily accessible to most people.
“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”
The data was exposed following what the health board described as a ‘focused and ongoing’ cyberattack in early March.
Health officials warned of a possible risk to a ‘significant quantity’ of patient and staff data following the breach.
In the following weeks, the health board issued a series of updates to keep the public informed about risks to their personal data – and issued an apology for the ‘anxiety’ caused.
The initial hack was limited to a ‘proof pack’ of data issued by the hackers on their blog, which included information on six patients being treated by the board.
But that has now been superseded by the much larger leak, which the hackers claim amounts to 3 terabytes of data.
The data, which Futurescot has witnessed but is not revealing its contents, includes sensitive information on vulnerable children, being treated by mental health services.
It raises difficult questions for the health board in relation to its cybersecurity controls as an ‘operator of essential services’ (OES). Currently, the NHS and Scottish Water are defined as OES, and as such require an ‘additional level of legal compliance regarding cyber security’, outlined last year in a report by Audit Scotland.
That stipulation means health boards must comply with the EU Network and Information Systems Regulations 2018 (NIS Regulations), and must be subject to an external audit of their ‘cyber security controls’.
Information is being regularly updated on the website www.nhsdg.co.uk/cyberattack, and a dedicated telephone helpline is now open on 01387 216777, operating Monday to Friday 9 am to 6 pm, and Saturday 9 am to 1 pm.
Meanwhile, the health board advised people to be alert for any attempts to access their work and personal data, or for approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or ‘some other means’.
It said however that the cybercriminals did not access the primary records system for patients’ health information – which is the system used by GPs, and contains people’s entire medical history in one location.
A spokesperson said: “Instead, what the cybercriminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from one consultant to a patient, letters from one consultant to another consultant, test results, x-rays, etc.
“These are housed across a range of separate directories reflecting the very large and complex service structures of NHS Dumfries and Galloway.”
A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.
“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.
“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”
Tess White MSP, Scottish Conservative deputy health spokesperson, said: “It is deeply concerning that patients’ private records have been accessed in this way and they will be rightfully alarmed that this information has been made public.
“After the last major cyberattack on NHS Scotland in 2022, the SNP government must be transparent about what steps were implemented to prevent a major breach like this happening again, and why this failed.”