NHS Dumfries & Galloway

Cyber attacks on NHS Dumfries and Galloway

Click here for the Frequently Asked Questions document

Update: 23.08.24

The NHS Dumfries and Galloway cyber attack helpline has now closed. If you still have questions about the attack, please contact the NHS DG Communications Team on dgcommunications@nhs.scot, or by calling 01387 246246.

Update: 17.06.24

NHS Dumfries and Galloway chief executive Julie White has contacted every household in Dumfries and Galloway to update them on the cyber attack in February this year – and what they can do to stay safe online.

The leaflet will reach households across the region between 18th and 22nd June. It includes the letter from Julie White, an Easy-Read version of the letter, and a list of frequently-asked questions.

Download the leaflet in PDF form by clicking on the links below:

Page 1

Page 2

 

Update: 21.05.24

Cyber criminals launched an attack on NHS Dumfries and Galloway’s IT systems in February.

While they were in our systems, they had access to a large volume of patient and staff-identifiable data, and there was a very real concern that they may have been able to obtain that data.

We noted that this was a very serious situation, working alongside national agencies like Police Scotland, The National Crime Agency, The National Cyber Security Centre and The Scottish Government – taking their advice and direction.

This included ensuring our IT systems were secured and could not be encrypted by the cyber criminals before we were able to talk about what had happened.

We asked everyone to look out for suspicious activity such as unusual emails or people calling up claiming to have their data or other NHS data. We asked everyone to report any incident like this to Police Scotland by calling 101.

Meanwhile, we set up the web-page www.nhsdg.co.uk/cyberattack as a place where updates would be collected. A helpline then followed, on 01387 216 777, operating Monday to Friday 9 am to 6 pm, and Saturday 9 am to 1 pm.

The cyber criminals were not able to deploy any software which might have locked our IT systems.

No data on our systems was deleted or altered as a result of the cyber attack, and services have continued to run as normal. No patient appointments or operations have had to be cancelled or rescheduled.

However, the cyber criminals said they would publish stolen data unless their unspecified demands were met.

On Monday 6 May 2024, they carried out that threat – publishing over 3 terabytes of data.

The type of data which had been stored about staff means an increased risk of identity theft. Staff have been advised to be on their guard, and have been provided details about actions they can take to reduce this risk.

Compiling a list of patients affected by the publication of data is neither quick nor easy. This is because of the type and volume of data which was stolen.

The cyber criminals did *not* access the primary records system for patients’ health information – the system used by GPs, and contains people’s entire medical history in one location. This is a separate system, and it was not accessed.

Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from consultants to patients, letters between consultants, test results, x-rays, etc.

As you will appreciate, identifying data which was taken, working through the millions of documents to find identifiable individuals and then assembling all their data is a massive undertaking.

Progress is being made very quickly thanks to the deployment of software in support, but this work is prioritised on ‘high-risk’ data which often relates to particularly vulnerable people.

Because of this, it’s likely that the majority of communications to the public will continue to remain general – rather than targeted to specific people. We continue to work closely with the Information Commissioner’s Office on this matter.

No interaction has been entered into with those responsible for the cyber attack.

We continue to follow the advice and direction of partner agencies.

We do not know why the cyber criminals targeted NHS Dumfries and Galloway.

In terms of why the cyber criminals actually published the stolen data, we are advised that this is likely to demonstrate to any future victims that they will carry out their threats unless their demands are met.

Given that the stolen data has now been made public on the Internet by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web.

NHS Dumfries and Galloway is far from the only organisation to have been targeted cyber criminals. Leicester City Council was went through a very similar experience with this group at the same time, while other high-profile cyber attack victims include the Ministry of Defence, the United Nations and the British Library, as well as many private companies.

A great deal of work has been undertaken by IT teams working with national colleagues to make our systems as secure as they can be. However, we continue to advise everyone to be on their guard for any suspicious activity.

Please note that NHS Dumfries and Galloway will never contact anyone asking for passwords or payment details.

We have not set out how they were able to access our IT systems. This is at the direction of Police Scotland who say note that the cyber attack is the subject of a criminal investigation and that these details are specialist knowledge.

Police Scotland have produced the following statement:

A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.

“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.

“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”

 

Update: 10.05.24

At the start of this week we advised that patient and staff-identifiable data stolen during the cyber attack on NHS Dumfries and Galloway had been published.

Inevitably, questions have followed, and we now seek to provide further understanding and clarity.

A key question being posed is why the people whose data has been published have not yet been contacted.

Unfortunately, compiling a list of people affected by the data publication is neither quick nor easy. This is because of the type and volume of data which was stolen.

The cyber criminals did *not* access the primary records system for patients’ health information – which is the system used by GPs, and contains people’s entire medical history in one location. This is a separate system, and it was not accessed.

Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from one consultant to a patient, letters from one consultant to another consultant, test results, x-rays, etc.

These are housed across a range of separate directories reflecting the very large and complex service structures of NHS Dumfries and Galloway.

As you will appreciate, identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking.

Although progress is being made, it is for this reason that NHS Dumfries and Galloway has needed to prioritise this work – doing so on the basis of the ‘high-risk’ data which often relates to particularly vulnerable people.

It is therefore likely that the majority of public communications will remain general rather than person specific. We continue to work closely with the Information Commissioner’s Office on this matter.

Another question posed is how the cyber criminals were able to access the NHS Dumfries and Galloway systems.

Details of what took place around the cyber attack are the subject of a live criminal investigation and regarded by investigators as specialist knowledge. While stolen information has been made public, work has been undertaken with external experts to ensure that systems are as secure as possible.

Given that the stolen data has now been made public by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web.

As we have stated from the very beginning, this is a very serious matter. We do recognise the comments this week by the founding Chief Executive of the National Cyber Security Centre, Ciaran Martin, where he advises people not to panic, and points to previous experiences of health data breaches such as in Australia.

Nevertheless, as we have done throughout, we continue to ask people to be on their guard for any unusual activity which might relate to this incident – attempts to gain access to computers, suspicious emails, phone calls from people claiming to be in possession of their health data or any NHS data.

These incidents should be reported to Police Scotland by phoning 101.

Police Scotland continue to support us in the work responding to the cyber attack and the publication of the data, and they have produced the following statement which reflects that this is a matter being taken extremely seriously, the legal considerations, the work continuing to take place, and the range of agencies involved.

A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.

“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.

“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”

Update: 06.05.24

 

A large volume of data has been published by a ransomware group.

This follows the recent cyber attack on NHS Dumfries and Galloway, when cyber criminals were able to access a significant amount of data including patient and staff-identifiable information.

Data relating to a small number of patients was released in March, and the cyber criminals had threatened that more would follow.

Reacting to the latest publication of data, NHS Dumfries and Galloway Chief Executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website available from tomorrow.

“Data accessed by the cyber criminals has now been published onto the dark web – which is not readily accessible to most people.

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

Information is being regularly updated on the website www.nhsdg.co.uk/cyberattack, and a dedicated telephone helpline will be open to the public from tomorrow on 01387 216 777, operating Monday to Friday 9 am to 6 pm, and Saturday 9 am to 1 pm.

Everyone is meanwhile advised to be alert for any attempts to access their work and personal data, or for approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means.

In all instances, people are advised to take down details about the approach and contact Police Scotland by phoning 101.

Update: 23.04.24

NHS Dumfries and Galloway continues to focus on recovery after a very significant cyber attack earlier this year.

IT systems are running normally in the wake of what was a focused and persistent attack.

A very large amount of patient and staff-identifiable data was accessed during the attack which began at the end of February. The scale and breadth of information which the cyber criminals were able to access makes it difficult to define the data which they may have been able to download, or to address this on an individual patient and staff member basis.

No operations or appointments are identified as having had to be cancelled or postponed as a direct consequence of the attack. Instead, the immediate impact was primarily on staff working arrangements – as the response required some changes to their ways of working and led to limitations on how they access IT systems.

The cyber criminals have so far published a ‘proof pack’ demonstrating that they possess stolen data. The content of the proof pack related to six individual patients. These patients have all been contacted by NHS Dumfries and Galloway.

To date, NHS Dumfries and Galloway has received a relatively small number of approaches from members of the public, mainly focused on questions and concerns about emails or approaches they have received. None has so far proved to be related to the attack.

However, we encourage everyone to remain on their guard for anyone trying to access their data, or for approaches by anyone claiming to possess NHS data relating to them or anyone else. All such incidents should be reported to Police Scotland by calling 101.

A robust response has been mounted by the Health Board’s IT teams, working with advice provided by experts such as the National Cyber Security Centre. Actions have been taken to address any further risk of incursion and practical testing will shortly take place before consideration of any moves to lift remaining limitations on staff accessibility to IT systems.

We are aware of expectations around transparency in relation to the cyber attack, but would highlight once again that this remains a live and very serious criminal matter, and a situation where ensuring the security of systems is paramount.

NHS Dumfries and Galloway has been the victim of a very significant and determined cyber attack which has potential implications for the people who work for the Board and those who are served by it.

We are extremely sorry for the anxiety which has been caused, and have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies, and being very mindful of security considerations.

Update:

28.03.24

Everyone is being urged to remain on their guard following a criminal cyber attack on NHS Dumfries and Galloway – almost two weeks on from the publication of stolen data.

NHS Dumfries and Galloway Chief Executive Julie White said: “We all must remain highly vigilant in the wake of what was a targeted and sustained cyber attack, and we are aware there is a risk of publication of further data.

“Everyone is advised to be alert for any attempts to access their data, or for approaches by anyone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means.

“In all instances, people are advised to take down details about the approach and contact Police Scotland by phoning 101.”

Mrs White added: “We are aware that the information held by the cyber criminals could include confidential, clinical patient information, and are advising people across our communities to be on their guard.

“We are also asking our staff to be aware of the range of data relating to individual staff members which is stored in different areas of our systems.

“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”

Update: 28.03.24

Frequently-asked questions

NHS Dumfries and Galloway has published a list of frequently-asked questions regarding the cyber attack.

Update: 27.03.24

Release of data in NHS Dumfries and Galloway cyber attack

NHS Dumfries and Galloway is aware that clinical data relating to a small number of patients has been published by a recognised ransomware group.

This follows a recent focused cyber attack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.

NHS Dumfries and Galloway Chief Executive Jeff Ace said: “We absolutely deplore the release of confidential patient data as part of this criminal act.

“This information has been released by hackers to evidence that this is in their possession.

“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation.

“Patient-facing services continue to function effectively as normal.

“As part of this response, we will be making contact with any patients whose data has been leaked at this point, and continue working to limit any sharing of this information.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

NHS Dumfries and Galloway will continue to provide updates via the website www.nhsdg.co.uk/cyberattack

For more information about staying safe online, visit the National Cyber Security Centre’s website: https://www.ncsc.gov.uk/cyberaware/home or https://www.ncsc.gov.uk/guidance/data-breaches

The alert below was published on 19 March 2024.

SERVICES delivered by NHS Dumfries and Galloway are generally running as normal – following a cyber attack on its IT systems.

Meanwhile, work continues to assess the consequences of the incursion into NHS systems, and the concern that those responsible may have acquired a significant amount of data including patient and staff-specific information.

Offering an update, NHS Dumfries and Galloway Chief Executive Jeff Ace said: “As you would expect, this has been viewed as an extremely serious matter demanding a major response.

“Over recent days we’ve been very busy working with partner agencies to ensure the security of our systems, to adapt to the associated disruption, and to assess the potential risk posed by the hackers’ ability to access data.

“It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position.

“However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.

“The NHS Board views patient and staff confidentiality as a key priority, along with ensuring welfare and wellbeing. As such, very great effort is being made to address this situation, and to try to prevent it from being repeated.

“We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101.”

Advice to individuals and their families on how to protect themselves from the impact of data is offered by the National Cyber Security Centre at this address: https://www.ncsc.gov.uk/guidance/data-breaches

The alert below was published on 15 March 2024.

Alert: 15.03.24

NHS Dumfries and Galloway has been the target of a focused and ongoing cyber attack.

This prompted a swift response in line with our established protocols, working with partner agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.

There may be some disruption to services as a result of this situation.

During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data.

Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data.

Breach of confidential data is an incredibly serious matter. We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.

In any of these situations, contact Police Scotland immediately by phoning 101.

Updates will be provided via this web-site, www.nhsdg.co.uk/cyberattack