NHS Dumfries and Galloway are working with the Nationwide Cyber Safety Centre (NCSC) following the publication of round three terabytes of stolen affected person knowledge on the darkish internet by a ransomware group.
The well being board confirmed in an replace on its web site, printed on 6 Could 2024, that ransomware group Inc Ransom have adopted by way of with threats to publish a big quantity of stolen knowledge onto the darkish internet.
Following a “centered and ongoing” cyber assault introduced by NHS Dumfries and Galloway on 5 March 2024, it was confirmed on 27 March 2024 that knowledge referring to a small variety of sufferers had been launched by Inc Ransom and the group claimed to be in possession of 3TB of knowledge from NHS Scotland.
Julie White, chief government of NHS Dumfries and Galloway, stated: “That is an totally abhorrent prison act by cyber criminals who had threatened to launch extra knowledge”.
She additionally confirmed that work was happening with associate companies to evaluate the information which has been printed.
In an additional assertion, printed on 10 Could 2024, NHS Dumfries and Galloway stated that it had not contacted the individuals who have had knowledge printed on-line, as a result of “figuring out the information which was taken, working by way of it to search out identifiable people after which assembling all their knowledge is a large endeavor”.
The well being board confirmed that the cyber criminals accessed “hundreds of thousands of very small, separate items of knowledge” housed throughout a spread of separate directories, together with particular person letters from one guide to a affected person, letters from one guide to a different guide, check outcomes and x-rays.
Nonetheless it stated that cyber criminals didn’t entry the first data system for sufferers’ well being info which accommodates folks’s total medical historical past, as a result of that is on a separate system which was not accessed.
“Though progress is being made, it is for that reason that NHS Dumfries and Galloway has wanted to prioritise this work – doing so on the premise of the ‘high-risk’ knowledge which frequently pertains to notably weak folks,” it added.
An NCSC spokesperson advised Digital Well being Information that they “are working with NHS Dumfries and Galloway to totally perceive the influence of the incident”.
Dr Saif Abed, founding associate and director of cybersecurity advisory companies at The AbedGraham Group advised Digital Well being Information that he believes NHS organisations proceed to wrestle with cybersecurity owing largely “to the shortage of cyber-resiliency throughout lots of the IT suppliers that function throughout the NHS”.
“If we don’t handle the provision chain dangers, then the menace to affected person knowledge will solely develop,” he stated.
“I additionally proceed to be involved that the affected person security influence of cyber assaults, like ransomware, should not totally understood or appreciated and the specter of catastrophic penalties will solely develop as digital transformation continues to collect tempo with out applicable safeguards,” Dr Abed added.
The cyber assault is the topic of a dwell prison investigation and is being “regarded by investigators as specialist data,” NHS Dumfries and Galloway stated on its web site.