Hackers threaten to publish huge cache of NHS data

NHS Dumfries and Galloway
The latest cyber threat comes after an attack on NHS Dumfries and Galloway IT systems

A ransomware group is threatening to publish a huge cache of stolen data following a cyber attack on a Scottish health board.

NHS Dumfries and Galloway warned earlier this month that hackers could have acquired “a significant quantity” of patient and staff information.

A group calling itself INC Ransom has now said it will make public three terabytes of data unless its demands are met.

The cyber criminals have published what they’ve called a “proof pack,” including confidential information on a small number of patients.

The first minister said the government is doing everything it can to stop the release of the stolen data.

NHS Dumfries and Galloway confirmed that "clinical data relating to a small number of patients" had been published by a recognised ransomware group.

In a statement, it said hackers were able to access a significant amount of data including patient and staff-identifiable information.

Jeff Ace, the health board's chief executive, said patient-facing services were functioning "effectively as normal" after the attack on IT systems earlier this month.

He said that as part of the response, the health board will be making contact with any patients whose data has been leaked.

He said: “We absolutely deplore the release of confidential patient data as part of this criminal act.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

Mr Ace previously said that "a very great effort is being made to try to prevent the attack from being repeated".

The health board is continuing to working with Police Scotland, the National Cyber Security Centre and the Scottish government and other agencies.

Is the stolen information valuable?

BBC News cyber reporter Joe Tidy said that, like most ransomware groups, Inc ransomware has a darknet website where it posts about victims and attempts to pressure them into paying.

The gang posted about NHS Scotland on Tuesday, with a threat to publish three terabytes of stolen data - an enormous amount - “soon”.

However, as is always the case with cyber attacks, it is the quality and not quantity of data that makes it more or less serious.

Along with the threat, the gang has posted some screenshots of the type of stolen material calling it a “proof pack”.

The paperwork does look very sensitive - one is a letter between doctors about the cancer care of one patient, while another is a referral letter about a woman who is having mental health issues regarding her weight.

However, from the data being advertised so far, the information does not seem very valuable to cyber criminals.

Most of it is years old, with the most recent paperwork being from 2019.

It remains to be seen what else is now in criminal hands, and how the NHS will react.

The advice is to not pay criminals as it fuels their enterprise, so the likelihood is that the hackers will indeed publish the entire trove of data on their site.

It will then be poured over by other hackers to see if there’s a way to make a quick buck from further attacks.

A counter on the post shows the level of interest so far - 322 views.

'Extortion attempts'

Labour's South Scotland MSP Colin Smyth has described the threats to release the stolen NHS data as “deeply concerning for NHS staff and patients”.

Mr Smyth raised his fears at Holyrood with Health Secretary Neil Gray that the attack on NHS Dumfries and Galloway was related to “extortion” attempts.

Speaking in the Scottish Parliament, he added: "I have no doubt that this will have been the motive in the recent attack on Dumfries and Galloway."

Mr Gray previously said there were "well-established procedures" for dealing with cyber attacks.

He said steps were being taken to help people protect themselves, and called on staff and the public to "be on their guard".

Asked if enough was being done to protect Scotland’s public sector from cyber attacks, the First Minister Humza Yousaf said: “I’m confident and satisfied that the appropriate steps have been taken by health boards, not just by Dumfries and Galloway.

“We take our cyber security very seriously but there are hostile actors who are attempting to access data right across the public sector.

“We’ll continue to invest in cyber security where we can,” he added.

The first minister said the government and its partners are doing everything they can to stop the stolen data from being released.

Follow the BBC for the South of Scotland on X.

Listen to news for Dumfries and Galloway on BBC Sounds.