NHS Dumfries & Galloway

Cyber attacks on NHS Dumfries and Galloway

Update: 10.05.24

At the start of this week we advised that patient and staff-identifiable data stolen during the cyber attack on NHS Dumfries and Galloway had been published.

Inevitably, questions have followed, and we now seek to provide further understanding and clarity.

A key question being posed is why the people whose data has been published have not yet been contacted.

Unfortunately, compiling a list of people affected by the data publication is neither quick nor easy. This is because of the type and volume of data which was stolen.

The cyber criminals did *not* access the primary records system for patients’ health information – which is the system used by GPs, and contains people’s entire medical history in one location. This is a separate system, and it was not accessed.

Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from one consultant to a patient, letters from one consultant to another consultant, test results, x-rays, etc.

These are housed across a range of separate directories reflecting the very large and complex service structures of NHS Dumfries and Galloway.

As you will appreciate, identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking.

Although progress is being made, it is for this reason that NHS Dumfries and Galloway has needed to prioritise this work – doing so on the basis of the ‘high-risk’ data which often relates to particularly vulnerable people.

It is therefore likely that the majority of public communications will remain general rather than person specific. We continue to work closely with the Information Commissioner’s Office on this matter.

Another question posed is how the cyber criminals were able to access the NHS Dumfries and Galloway systems.

Details of what took place around the cyber attack are the subject of a live criminal investigation and regarded by investigators as specialist knowledge. While stolen information has been made public, work has been undertaken with external experts to ensure that systems are as secure as possible.

Given that the stolen data has now been made public by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web.

As we have stated from the very beginning, this is a very serious matter. We do recognise the comments this week by the founding Chief Executive of the National Cyber Security Centre, Ciaran Martin, where he advises people not to panic, and points to previous experiences of health data breaches such as in Australia.

Nevertheless, as we have done throughout, we continue to ask people to be on their guard for any unusual activity which might relate to this incident – attempts to gain access to computers, suspicious emails, phone calls from people claiming to be in possession of their health data or any NHS data.

These incidents should be reported to Police Scotland by phoning 101.

Police Scotland continue to support us in the work responding to the cyber attack and the publication of the data, and they have produced the following statement which reflects that this is a matter being taken extremely seriously, the legal considerations, the work continuing to take place, and the range of agencies involved.

A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.

“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.

“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”

Update: 06.05.24

 

A large volume of data has been published by a ransomware group.

This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and staff-identifiable information.

Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the dark web – which is not readily accessible to most people.

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

Information is being regularly updated on the website www.nhsdg.co.uk/cyberattack, and a dedicated telephone helpline will be open to the public from tomorrow on 01387 216 777, operating Monday to Friday 9 am to 6 pm, and Saturday 9 am to 1 pm.

Everyone is meanwhile advised to be alert for any attempts to access their work and personal data, or for approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means. 

In all instances, people are advised to take down details about the approach and contact Police Scotland by phoning 101.

Update: 23.04.24

NHS Dumfries and Galloway continues to focus on recovery after a very significant cyber attack earlier this year.

IT systems are running normally in the wake of what was a focused and persistent attack.

A very large amount of patient and staff-identifiable data was accessed during the attack which began at the end of February. The scale and breadth of information which the cyber criminals were able to access makes it difficult to define the data which they may have been able to download, or to address this on an individual patient and staff member basis.

No operations or appointments are identified as having had to be cancelled or postponed as a direct consequence of the attack. Instead, the immediate impact was primarily on staff working arrangements – as the response required some changes to their ways of working and led to limitations on how they access IT systems. 

The cyber criminals have so far published a ‘proof pack’ demonstrating that they possess stolen data. The content of the proof pack related to six individual patients. These patients have all been contacted by NHS Dumfries and Galloway.

To date, NHS Dumfries and Galloway has received a relatively small number of approaches from members of the public, mainly focused on questions and concerns about emails or approaches they have received. None has so far proved to be related to the attack.

However, we encourage everyone to remain on their guard for anyone trying to access their data, or for approaches by anyone claiming to possess NHS data relating to them or anyone else. All such incidents should be reported to Police Scotland by calling 101.

A robust response has been mounted by the Health Board’s IT teams, working with advice provided by experts such as the National Cyber Security Centre. Actions have been taken to address any further risk of incursion and practical testing will shortly take place before consideration of any moves to lift remaining limitations on staff accessibility to IT systems. 

We are aware of expectations around transparency in relation to the cyber attack, but would highlight once again that this remains a live and very serious criminal matter, and a situation where ensuring the security of systems is paramount.

NHS Dumfries and Galloway has been the victim of a very significant and determined cyber attack which has potential implications for the people who work for the Board and those who are served by it.

We are extremely sorry for the anxiety which has been caused, and have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies, and being very mindful of security considerations.

Update:

28.03.24

Everyone is being urged to remain on their guard following a criminal cyber attack on NHS Dumfries and Galloway – almost two weeks on from the publication of stolen data. 

NHS Dumfries and Galloway Chief Executive Julie White said: “We all must remain highly vigilant in the wake of what was a targeted and sustained cyber attack, and we are aware there is a risk of publication of further data. 

“Everyone is advised to be alert for any attempts to access their data, or for approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means. 

“In all instances, people are advised to take down details about the approach and contact Police Scotland by phoning 101.” 

Mrs White added: “We are aware that the information held by the cyber criminals could include confidential, clinical patient information, and are advising people across our communities to be on their guard.

“We are also asking our staff to be aware of the range of data relating to individual staff members which is stored in different areas of our systems.

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

Update: 28.03.24

Frequently-asked questions

NHS Dumfries and Galloway has published a list of frequently-asked questions regarding the cyber attack. 

Update: 27.03.24

Release of data in NHS Dumfries and Galloway cyber attack

NHS Dumfries and Galloway is aware that clinical data relating to a small number of patients has been published by a recognised ransomware group.

This follows a recent focused cyber attack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.

NHS Dumfries and Galloway Chief Executive Jeff Ace said: “We absolutely deplore the release of confidential patient data as part of this criminal act.

“This information has been released by hackers to evidence that this is in their possession.

“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation.

“Patient-facing services continue to function effectively as normal.

“As part of this response, we will be making contact with any patients whose data has been leaked at this point, and continue working to limit any sharing of this information.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

NHS Dumfries and Galloway will continue to provide updates via the website www.nhsdg.co.uk/cyberattack

For more information about staying safe online, visit the National Cyber Security Centre’s website: https://www.ncsc.gov.uk/cyberaware/home or https://www.ncsc.gov.uk/guidance/data-breaches

The alert below was published on 19 March 2024.

SERVICES delivered by NHS Dumfries and Galloway are generally running as normal – following a cyber attack on its IT systems.

Meanwhile, work continues to assess the consequences of the incursion into NHS systems, and the concern that those responsible may have acquired a significant amount of data including patient and staff-specific information.

Offering an update, NHS Dumfries and Galloway Chief Executive Jeff Ace said: “As you would expect, this has been viewed as an extremely serious matter demanding a major response.

“Over recent days we’ve been very busy working with partner agencies to ensure the security of our systems, to adapt to the associated disruption, and to assess the potential risk posed by the hackers’ ability to access data.

“It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position.

“However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.

“The NHS Board views patient and staff confidentiality as a key priority, along with ensuring welfare and wellbeing. As such, very great effort is being made to address this situation, and to try to prevent it from being repeated.

“We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101.”

Advice to individuals and their families on how to protect themselves from the impact of data is offered by the National Cyber Security Centre at this address: https://www.ncsc.gov.uk/guidance/data-breaches

The alert below was published on 15 March 2024.

Alert: 15.03.24

NHS Dumfries and Galloway has been the target of a focused and ongoing cyber attack.

This prompted a swift response in line with our established protocols, working with partner agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.

There may be some disruption to services as a result of this situation.

During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data.

Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data.

Breach of confidential data is an incredibly serious matter. We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.

In any of these situations, contact Police Scotland immediately by phoning 101.

Updates will be provided via this web-site, www.nhsdg.co.uk/cyberattack