NHS Dumfries and Galloway are working with the National Cyber Security Centre (NCSC) following the publication of around three terabytes of stolen patient data on the dark web by a ransomware group.

The health board confirmed in an update on its website, published on 6 May 2024, that ransomware group Inc Ransom have followed through with threats to publish a large volume of stolen data onto the dark web.

Following a “focused and ongoing” cyber attack announced by NHS Dumfries and Galloway on 5 March 2024, it was confirmed on 27 March 2024 that data relating to a small number of patients had been released by Inc Ransom and the group claimed to be in possession of 3TB of data from NHS Scotland.

Julie White, chief executive of NHS Dumfries and Galloway, said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data”.

She also confirmed that work was taking place with partner agencies to assess the data which has been published.

In a further statement, published on 10 May 2024, NHS Dumfries and Galloway said that it had not contacted the people who have had data published online, because “identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking”.

The health board confirmed that the cyber criminals accessed “millions of very small, separate pieces of data” housed across a range of separate directories, including individual letters from one consultant to a patient, letters from one consultant to another consultant, test results and x-rays.

However it said that cyber criminals did not access the primary records system for patients’ health information which contains people’s entire medical history, because this is on a separate system which was not accessed.

“Although progress is being made, it is for this reason that NHS Dumfries and Galloway has needed to prioritise this work – doing so on the basis of the ‘high-risk’ data which often relates to particularly vulnerable people,” it added.

An NCSC spokesperson told Digital Health News that they “are working with NHS Dumfries and Galloway to fully understand the impact of the incident”.

Dr Saif Abed, founding partner and director of cybersecurity advisory services at The AbedGraham Group told Digital Health News that he believes NHS organisations continue to struggle with cybersecurity owing largely “to the lack of cyber-resiliency across many of the IT suppliers that operate within the NHS”.

“If we don’t address the supply chain risks, then the threat to patient data will only grow,” he said.

“I also continue to be concerned that the patient safety impact of cyber attacks, like ransomware, are not fully understood or appreciated and the threat of catastrophic consequences will only grow as digital transformation continues to gather pace without appropriate safeguards,” Dr Abed added.

The cyber attack is the subject of a live criminal investigation and is being “regarded by investigators as specialist knowledge,” NHS Dumfries and Galloway said on its website.