‘Large volume’ of NHS Scotland data leaked on the dark web

A ransomware group has published a “large volume” of data belonging to NHS Dumfries and Galloway on the dark web. 

In March the cybercrime gang had already published data relating to a small number of patients as proof that they held the information and warned that more would follow unless a payment was made.

The new chief executive of NHS Dumfries and Galloway health board Julie White has confirmed a joint investigation with other national agencies including the Scottish Government, police and National Cyber Security Centre is underway to assess what information has been published.

White has called the release an "utterly abhorrent criminal act".

"We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.

"NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website.

"Data accessed by the cyber criminals has now been published onto the dark web - which is not readily accessible to most people.

"Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies," she added.

Speaking to the BBC, South of Scotland MSP Colin Smyth said "a very substantial amount of data" had been accessed, including contact details for staff and patients.

"It is important the NHS try to do what they did when the initial data was released - that is contact the individuals affected.

"But if they can't do that because the data is so substantial it is very important the NHS make that clear at an early stage, and at the very least contact the most vulnerable people whose data may have been released onto the dark web.”

A Scottish Government spokesperson has said there are “no further incidents across NHS Scotland as a whole”.