Following a cyberattack on NHS Dumfries and Galloway, Scotland’s public archiving body has revealed that some of its information was compromised – with up to 50 people ‘at risk of harm’

A significant amount of data from the National Records of Scotland was accessed as part of a recent cyberattack on an NHS health board.

The organisation, a national public body that gathers statistics and archives public records, runs a service transferring the records of patients when they move between different Scottish health board areas – or out of the country entirely. This service is hosted on the IT network of NHS Dumfries and Galloway.

Following a ransomware assault on the health board in February, the National Records of Scotland (NRS) has “identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack”.

NRS has got in touch with almost 50 people whose data has been compromised in a way that “is considered to have the potential to put them at risk of harm”.

Related content

• Capita admits possible compromise of customer data during cyberattack
• Hebridean council works on data recovery following cyberattack
• Cyber Security Week: Analysis – how and where are attackers getting in?

Beyond this, some information “from the statutory births, deaths and marriages registers.. which is used to correctly identify patients and maintain the accuracy” of the NRS’s records-transfer services was also accessed during the attack.

The records body has informed the Information Commissioner of the breach.

NRS chief executive Janet Egdell said: “We are aware that this will be distressing news for those individuals most directly affected. This is a live criminal investigation, and we are working closely with NHS Dumfries and Galloway, Police Scotland, the Scottish Government, and other agencies involved in the inquiry. NRS takes cyber security and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”

Earlier this month, NHS Dumfries and Galloway said cyberattackers had released on the dark web “a large volume” of data stolen from the health board – including some information related to children’s mental health.

Police Scotland has advised the public should not attempt to access or share any leaked data as they may be committing an offence under the Data Protection Act.