Stolen Medical Data of Scottish NHS Patients Leaked on Dark Web by Cyber Hackers

Private medical records of NHS patients are being found online with just a few clicks, following a major data breach at NHS Dumfries and Galloway. A hacking group, INC Ransom, has stolen a significant amount of data, totaling 3TB—equivalent to 43 million emails. This vast trove of personal information was then uploaded to the dark web after the group demanded a ransom to keep the information confidential.

The Sunday Mail was able to access some of these documents to confirm the validity of the breach. They contained personal details of at least six patients, revealing names, dates of birth, CHI numbers, addresses, and in some cases, email addresses. The data also included sensitive information about their medical histories, test results, and private disclosures made to doctors.

Despite the early detection of this breach, NHS Dumfries and Galloway admits it does not know the full extent of the breach or how many more individuals could be affected. Labour’s deputy leader, Jackie Baillie, has called on Health Secretary Neil Gray to explain how the breach occurred and what measures are in place to prevent similar attacks in other health boards.

Baillie said, “It’s now clear that some of the most sensitive data imaginable is part of this leak, but the SNP have stayed silent, leaving patients alone with their fears. That’s unacceptable.”

Experts warn that the breach could lead to identity theft and other types of fraud against those whose information was compromised. Professor Lynne Coventry, director of Abertay University’s cybersecurity research center, stated, “Health records can be more valuable than financial records as they can often contain sensitive health information in addition to financial details.”

The data breach is significant enough to potentially involve thousands of people, but authorities are not yet sure about the exact impact. Patrick McGuire, partner at Thompsons Solicitors, has called for the NHS to be transparent about the scale of the breach and provide support to those affected. He added that the NHS could face significant legal claims from individuals whose data was exposed.

McGuire said, “The amount of information is enormous. This has to be one of the biggest data breaches in the NHS in Scotland, possibly in the whole of Scotland. People whose information has been taken will likely seek financial compensation, and defending these claims could be a huge challenge.”

The health spokesman for the Scottish Conservatives, Dr. Sandesh Gulhane, said that Health Secretary Neil Gray must take responsibility and explain to the public what actions are being taken to mitigate the damage and prevent future attacks.

Police Scotland has confirmed that an investigation is ongoing. NHS Dumfries and Galloway has admitted the scale of the attack makes it difficult

to determine exactly what data the hackers could access or to identify all the affected individuals. The health board has contacted the six patients whose information was already released online.

“This is a disturbing breach that requires immediate action from the government and the NHS,” said Gulhane. “Patients have the right to know whether their personal information has been compromised and what steps are being taken to ensure their safety.”

The Information Commissioner’s Office has been notified of the incident, and NHS Scotland is currently assessing the breach’s impact and working with law enforcement to identify and apprehend those responsible.

This cybersecurity attack has highlighted vulnerabilities within the NHS and emphasizes the importance of maintaining robust security measures. The exact fallout from this data breach remains to be seen, but the repercussions could be significant if steps are not taken to mitigate the damage and protect those affected.