The personal data of at least 293 Scottish NHS staff have been compromised in a cyber attack against a supplier in United States.
US-based Landauer provides ionising radiation monitoring services for eight NHS health boards across Scotland. The company holds personal information including names, radiation dose, dates of birth and national insurance numbers for these staff.
On Tuesday, one of those NHS boards confirmed the personal data of 293 of its staff were affected by a cyber-attack on Landauer.
Although it is not yet clear how staff at other health boards have been affected, the Scottish government has confirmed nine boards have contracts with Landauer.
In a statement, NHS Ayrshire & Arran chief executive John Burns said: “We have been informed by one of our service providers, Landauer, that it has experienced a data security attack on one of its UK servers which affects our staff.”
No patients were affected by the breach, he said.
The statement also revealed that company was aware of the cyber-attack in October but had only recently informed its NHS customers.
This was because it “wanted to identify the extent of the attack and the numbers of NHS staff affected before communicating this to NHS Boards”.
Landauer has also since terminated a contract with a third-party company involved in the attack.
Scottish government ministers were notified on 25, January.
A Scottish Government spokesman said in a statement: “We take the protection of personnel data extremely seriously and this data breach is being fully investigated by health boards”.
“Landauer has taken action to ensure their systems are now secure”, he said.
“They are continuing to work with boards to support staff and ensure all data is now protected”.
It comes as Commons’ Public Accounts Committee report, published on Friday, highlight the threats to government of cyber-attacks.
The report citicised the Cabinet Office’s oversight of cyber security, stating that “there appears to be no coordination across the wider public sector”.
“There is little oversight of the costs and performance of government information assurance projects, and processes for recording departmental personal data breaches are inconsistent and dysfunctional.”