Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid

Cyber extortionists have published to their darkweb blog sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, in a bid to demand money from the local health board.

The service announced earlier this month it was the target of “a focused and ongoing cyber attack,” and that while patient-facing services were functioning as normal, it warned of the risk “hackers have been able to acquire a significant quantity of data.”

A ransomware group calling itself INC Ransom claimed this week to hold terabytes of data exfiltrated from the organization, publishing some of this data samples on its extortion site as evidence.

A bespoke health board web page published to update patients about the impact of the attack confirmed “that clinical data relating to a small number of patients has been published.”

The criminals are threatening to release more data in the future unless the health board pays an extortion fee.

Dumfries and Galloway is the southernmost region of Scotland, sharing a border with northwestern England. It has a population of just under 150,000 people — almost all of whom are likely to be users of the country’s universal National Health Service.

In a statement, the regional NHS board’s chief executive, Jeff Ace, said: “We absolutely deplore the release of confidential patient data as part of this criminal act.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population,” said Ace.

He added that the health board would be contacting “any patients whose data has been leaked at this point, and continue working to limit any sharing of this information.”

The breach of medical data could be extremely distressing for patients, as happened with a ransomware attack affecting Australian health insurance business Medibank, when histories and treatment data was compromised by criminals.

The ransomware attackers, seeking to extort the Australian business and the affected patients, subsequently began publishing sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.

Ransomware attacks have hit numerous healthcare organizations in recent weeks. Earlier this month, a ransomware gang claimed to have sold data stolen from a children’s hospital in Chicago after listing it on the dark web for $3.4 million. Another attack on Change Healthcare has caused weeks of disruption to healthcare and billing operations at hospitals, clinics and pharmacies across the country. 

Attacks on British organizations have increased year-on-year since 2019. Earlier this week, the British government was accused by a parliamentary committee of taking the “ostrich strategy” by burying its head in the sand over the “large and imminent” national cyber threat posed by ransomware.

The Joint Committee on the National Security Strategy had previously warned that the government’s failures to tackle the threat meant there was a “high risk” the country faces a “catastrophic ransomware attack at any moment.”