NHSDG warns 150,000 patients to assume data has been published

NHS Dumfries and Galloway has warned almost 150,000 patients to assume that their personal data is likely to have been stolen and published online following a major cyber attack earlier this year.

Julie White, chief executive of the health board, has contacted every household in the area to update them on the cyber attack in March 2024 , and what they can do to stay safe online.

A ransomware group targeted the health board and when its demands were not met, it published around three terabytes of stolen patient data on the dark web.

A leaflet has been sent out by NHS Dumfries and Galloway, which will reach households across the region between 18 and 22 June. It includes the letter from Julie White, an easy-read version of the letter, and a list of frequently-asked questions.

In the leaflet, White says: “We are advising people in Dumfries and Galloway that the best approach to take is to assume that some data relating to you is likely to have been copied and published.

“This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else’s data.”

The leaflet highlights that the “millions of pieces of data copied and published” are generally very small, individual files, including x-rays, test results and correspondence between health and social care teams, correspondence between the health board’s teams and patients, and complaints letters.

“The volume of data stolen and the challenge of analysing it means a decision was taken to prioritise ‘high-risk’ data which generally relates to most vulnerable patients,” White added.

“If you are part of a high-risk group which represents a small number of people living in our communities, and we believe the publication of the stolen data represents an additional risk to you, we will be in touch with you to discuss this.

“As our investigations are ongoing, we will not be able to tell people what specific data has been published about them.”

NHS Dumfries and Galloway have identified potential risks, laid out in the leaflet, resulting from the publication of data. These are identity theft, security, extortion, and anxiety.

White concluded her letter by apologising to those affected: “On behalf of NHS Dumfries and Galloway, I would like to apologise for the anxiety which may have been caused to you due to this situation.

“We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies.”

More information is available online at the website www.nhsdg.co.uk/cyberattack. The helpline can be reached by calling 01387 216 777, Monday to Friday 9am to 6pm and Saturday 9am to 1pm.

This follows a ransomware attack on pathology service provider Synnovis, which disrupted services at King’s College Hospital NHS Foundation Trust, Guy’s and St Thomas’ NHS FT and South London and Maudsley NHS FT.

We reported yesterday that more than 800 planned operations and 700 outpatient appointments were rearranged in the week following the attack.