Stolen children’s health records posted online in extortion bid

Another batch of sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, has been published by criminals demanding an extortion payment from the local health board.

The newest tranche of data includes children’s health records. Julie White, the health board’s chief executive, described the release as “an utterly abhorrent criminal act.”

It follows NHS Dumfries and Galloway announcing in March it had been the target of “a focused and ongoing cyber attack,” and that while patient-facing services were functioning as normal, there was a risk “hackers have been able to acquire a significant quantity of data.”

A ransomware group calling itself INC Ransom subsequently claimed to hold terabytes of data exfiltrated from the organization, publishing some of this data samples on its extortion site as evidence.

Dumfries and Galloway is the southernmost region of Scotland, sharing a border with northwestern England. It has a population of just under 150,000 people — almost all of whom are likely to be users of the country’s universal National Health Service.

A bespoke page on the service’s website about the incident was updated this week confirming that more data had been published by the criminals.

“NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow,” stated White.

Members of the public impacted by the incident can call the helpline on 01387 216 777, Monday to Friday 9 a.m. to 6 p.m., and Saturday 9 a.m. to 1 p.m.

“Work is beginning to take place with partner agencies to assess the data which has been published,” added the statement on the official website.

“This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Speaking to BBC News, White said it was unlikely that the hackers were able to access entire patient records and that the entire patient base of Dumfries and Galloway was probably not impacted, although “significant quantities” of patients were affected. She confirmed that children’s mental health records had been among the data published.

There are concerns that the released data could expose individuals to fraud. The website warns people to be alert to “approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means.”

If anyone receives such an approach, they are advised to “take down details about the approach and contact Police Scotland by phoning 101.”

The breach of medical data could be extremely distressing for patients, as happened with a ransomware attack affecting Australian health insurance business Medibank, when histories and treatment data was compromised by criminals.

The ransomware attackers, seeking to extort the Australian business and the affected patients, subsequently began publishing sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.