All households in Scottish region to get alert about hackers publishing stolen medical data

All households in the Scottish region of Dumfries and Galloway are set to receive letters warning them that cybercriminals are likely to have published medical data about them stolen from the National Health Service (NHS) in a ransomware attack in February.

The cybercrime group behind the attack, INC Ransom, claimed in March that it would publish the confidential medical files unless NHS Dumfries and Galloway made an extortion payment. The health trust refused to do so.

A copy of the notices to be sent across the southernmost region of Scotland, bordering northwest England, was published on the NHS Trust’s website on Monday. They will reach just under 150,000 people, most of whom are likely to be users of the country’s universal health system.

Julie White, the NHS Trust’s chief executive, advises the recipients “that the best approach to take is to assume that some data relating to you is likely to have been copied and published.”

“This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else’s data,” she wrote.

The millions of stolen documents “are generally very small” and range from x-ray images to test results. However, the chief executive expressed specific concerns about data relating to the most vulnerable patients, and said that NHS staff would be reaching out directly to those individuals to discuss the risks.

In general, the letter warns that there is a risk of identity theft for NHS staff due to the amount of data gathered on those staff during the recruitment process.

It adds: “It is an acknowledged risk that the stolen data could be used to exploit or threaten people. This could either be by the cyber criminals who copied the data or someone who accesses it now that it has been published.”

Patients in the region have been encouraged to report any suspicious approaches from people claiming to possess their data to Police Scotland.

The letter acknowledges that a breach of medical data could be extremely distressing for patients, citing a similar ransomware attack affecting Australian health insurance business Medibank in 2022.

In the Australian incident, patient histories and treatment data for around 480,000 individuals — including information about drug addiction treatments and abortions — were published online.

“The sheer scale of that data meant that the impact was limited, and it has been suggested by one prominent cyber security expert that this may also be the case in Dumfries and Galloway,” White, of NHS Dumfries and Galloway, said.