All 150,000 residents of Dumfries and Galloway warned to assume data loss in NHS cyberattack


Following a ransomware assault in February, patient data from NHS Dumfries and Galloway has been leaked on the dark web – with all the local population liable to have been affected

The NHS Dumfries and Galloway health board has told everyone in the region – comprising 150,000 residents – to assume some of their data is likely to have been leaked following a major cyberattack in February.

The health board’s chief executive Julie White is expected to send a leaflet to all households describing the situation as “extremely serious” and advice on how to stay safe online.

In May, the health board confirmed a “large volume” of its data had been leaked on the dark web, including some children’s mental health data. The National Records of Scotland (NRS) has confirmed a “large volume” of its data was also accessed as part of the incident.

Patients considered at “high risk” are expected to be contacted individually by the health board.

X-rays, test results and letters between healthcare professionals are among the information that has been published.


Related content


South Scotland MSP Colin Smyth said the scale of the leak and the number of those affected is “significantly higher than was first envisaged”, but that it remains “unclear what exactly has been leaked on each person”. He added that the data did not appear to have been used maliciously against anyone so far.

White said: “Since the cyberattack, we have been asking both staff and the public to be on their guard for any suspicious activity. This includes any attempts to access computer systems, such as suspicious emails from an unverified sender asking them to click a link (known as ‘phishing’), as well as phone calls. If anyone has suspicions, they should call Police Scotland by phoning 101.”

Missed briefings
It has emerged that Scottish Government health secretary Neil Gray did not take part in a critical police briefing following attack on NHS Dumfries and Galloway that compromised more than 100,000 patients’ data, a Freedom of Information release has revealed.

According to a new FOI release, Gray has attended just one meeting on the matter, held on 9 May, but excused himself before Police Scotland briefed attendees on how to mitigate the risk to patients and staff. It also gave an update on its investigation. But the FOI release said that Gray “had to leave the call before Police Scotland were able to update on their investigation and requested a written summary be provided”.

On 7 May, two days before the meeting, Gray had said he would be “receptive” to providing emergency funding to the health board, after being questioned by local Labour MSP Smyth.

A separate FOI revealed that information on correspondence and meetings between current and former first ministers and NHS Dumfries and Galloway “does not exist”.

It is unclear whether Alister Jack, who was MP for Dumfries and Galloway before parliament was dissolved, attended any meetings about the attack. His office responded to an FOI by refusing to confirm whether it had the relevant information.

Scottish Labour health spokesperson Jackie Baillie criticised Gray, saying Scotland “cannot afford to have another health minister who takes their eye off the ball”.

“A health secretary should be attending any meeting that relates to the breach of patient data for its entire duration, yet Neil Gray clearly felt he had to be somewhere more important,” she added.

However, a  Scottish Government spokesperson told PublicTechnology sister publication Holyrood that, upon the request of the health secretary, the health board held a briefing on March 18 to keep local representatives up to date.

The spokesperson continued: “He then received regular written updates on progress, again at his request. When the situation escalated on May 9 he requested a further verbal update that day, which Mr Gray attended for the scheduled duration of the meeting before having to leave for business in the parliamentary chamber. Officials remained to pick up any follow-up actions.

“The first minister and the cabinet secretary continue to be fully briefed on the situation in Dumfries & Galloway. Officials meet senior leaders from NHS Dumfries and Galloway and partner agencies, including Police Scotland and national cyber experts, every week with Ministers briefed shortly thereafter. The UK Government’s National Cyber Security Centre… are part of these multi-agency meetings, as are agents from the UK government’s National Crime Agency. Officials are also liaising with NHS England as required.”

A version of this story originally appeared on PublicTechnology sister publication Holyrood

Sofia Villegas

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *