National Records of Scotland reveals its data stolen in 'distressing' NHS health board cyber attack

Last month, NHS Dumfries and Galloway was the victim of a cyber attack, which may have compromised a “significant quantity” of data. The health board announced the data includes information that could identify patients and staff, and has called in the Scottish Government, Police Scotland and the National Cyber Security Centre to deal with the issue.

The NRS holds information on the NHS Dumfries and Galloway IT network as it “runs an administrative service for the NHS to allow the transfer of patient records when people move between health board areas, across borders within the UK or move overseas”.

The statistical organisation said it has been assessing the stolen information “through a prioritised risk assessment process” and had identified “a small number of cases” where there was sensitive information “held temporarily” on the network at the time of the attack.

Some information that comes from the statutory births, deaths and marriages registers was also accessed. This information is used to correctly identify patients and maintain the accuracy of the service.

Janet Egdell, chief executive of the NRS, said: “We are aware that this will be distressing news for those individuals most directly affected. This is a live criminal investigation, and we are working closely with NHS Dumfries and Galloway, Police Scotland, Scottish Government and other agencies involved in the inquiry.

“NRS takes cyber security and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”

The cyber-attack caused some “initial disruption” to the operation of the service, the NRS said, “but with the support of staff and partners it has been fully operational since shortly after the attack took place”.

In a statement posted to its website, NHS Dumfries and Galloway said: “During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data.

“Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data. Breach of confidential data is an incredibly serious matter. We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.”

NRS has opened a mailbox for enquiries from members of the public at [email protected].

Analysis: How safe is your data with the nation's healthcare service?

This attack is not the first time the UK’s healthcare system has been targeted by hackers, or indeed in Europe.

Governments across the continent were spurred into action in May 2021, after the national and local IT systems of the Health Service Executive (HSE), Ireland’s equivalent of the NHS, were hit by a cyber attack.

According to NHS Digital, the perpetrators – suspected to be a Russian-based criminal gang – “had used one type of software to infiltrate the systems, which opened the door to the deployment and activation of another type of software – a ransomware package known as Conti”.

“It began to delete back-up functions, disable key security protocols and encrypt vital files,” a statement from NHS England’s technological wing reads.

“Hospitals across Ireland lost access to electronic records, services were disrupted, appointments were cancelled, and some medical equipment was disabled. Data had also been compromised. The gang claimed it had patient details, employee records and financial information, and reportedly demanded a ransom of €16.5m [£14m] to prevent the release of the data and to decrypt the files.

“The job of restoring the affected systems has been gradual, with 95 per cent of servers and devices back up and running by September 2021.”

The incident led to cyber security experts across the world to look closer at ransomware – software that holds data ransom on behalf of hackers – and how it can be used against healthcare systems.

However, healthcare systems tend to have large, interconnected networks which contain older computer models and software, which makes them vulnerable targets for software, which trawls the internet looking for weaknesses in computer systems.

As well as relying on weaknesses in computer networks, criminals also look for sensitive information that can be used for blackmail – the NHS has this in abundance.

Therefore, without updating much of the NHS’ older ‘legacy’ computer systems, it will always remain a target for potential criminals.