EXCLUSIVE – A ransomware group has threatened to release an astonishing three terabytes of stolen NHS patient and staff data, which it says will be published “soon” if their demands are not met.

The cybercriminals have gone as far as posting several letters and medical reports as evidence of their successful breach.

The disclosed “proof pack”, which we have blurred below, includes a variety of sensitive documents, ranging from biochemistry and genetics reports to letters between doctors discussing patient treatments and psychological reports. Alarmingly, these documents contain highly personal medical details, including names and addresses of patients.

The attack was publicly disclosed by INC RANSOM on March 26, but no specific deadline for a ransom payment has been provided. We have contacted NHS Scotland for comment.

Interestingly, the ransomware gang’s claims have been somewhat corroborated by NHS Dumfries and Galloway, a regional health board under NHS Scotland. On March 15, they reported a cyber incident, acknowledging the potential compromise of a significant amount of data.

Offering an update, NHS Dumfries and Galloway Chief Executive Jeff Ace said:

“As you would expect, this has been viewed as an extremely serious matter demanding a major response. Over recent days we’ve been very busy working with partner agencies to ensure the security of our systems, to adapt to the associated disruption, and to assess the potential risk posed by the hackers’ ability to access data.

It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position. However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data. The NHS Board views patient and staff confidentiality as a key priority, along with ensuring welfare and wellbeing. As such, very great effort is being made to address this situation, and to try to prevent it from being repeated.

We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101.”

Many of the documents flaunted by INC RANSOM seem to originate from this particular region, adding credibility to the ransomware gang’s assertions, we’ll update you when we have more from NHS Scotland on this.

INC Ransom first appeared in July 2023, and it not only encrypts and steals its target’s data but then threatens to publish it online if the victim doesn’t pay. According to Ransomlooker, Cybernews’ ransomware monitoring tool, INC Ransom has taken aim at least 65 organisations over the last 12 month period.

A Police Scotland spokesperson told me: “Enquiries are ongoing.”

Update as of 1220pm.

NHS Dumfries and Galloway have said that it is aware that clinical data relating to a small number of patients has been published by a recognised ransomware group. This follows a recent focused cyber attack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.

NHS Dumfries and Galloway Chief Executive Jeff Ace said:

“We absolutely deplore the release of confidential patient data as part of this criminal act. This information has been released by hackers to evidence that this is in their possession.

We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government and other agencies in response to this developing situation. Patient-facing services continue to function effectively as normal.

As part of this response, we will be making contact with any patients whose data has been leaked at this point.

NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

Avatar photo
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. George is on Twitter at @geoallison
Subscribe
Notify of
guest

19 Comments
oldest
newest
Inline Feedbacks
View all comments
harryb
harryb
17 days ago

What are their demands?

John
John
17 days ago

Bring back hanging.

Dragonwight
Dragonwight
17 days ago

Closing the door after the horse has bolted is cold comfort to those whose information is now ‘out there’. It really is a disgrace. My other half recently had her details stolen in a cyber attack. The laxidasical approach some of these organisations take to the security of your data is frankly appalling. Especially when you must hand over your data.

Last edited 17 days ago by Dragonwight
Supportive Bloke
Supportive Bloke
16 days ago
Reply to  Dragonwight

That is the problem.

Every Tom, Dick and Harry has the right to demand a copy of your drivers license or passport to be ‘securely’ stored.

Of course their idea of security and my idea of security are rather different.

Not much sign of EAR [Encryption At Rest] here is there?

The comedy part of it is that it is mostly to aid very lazy policing that depends on ID data being honestly submitted. Of course the criminals mostly use false ID’s so most that fantasy anti terrorist policing doesn’t actually work and is a total waste of massive resources.

Cymbeline
Cymbeline
15 days ago
Reply to  Dragonwight

To be fair, there’s very few systems out there that can’t be hacked. The NHS have been done before of course, but trying to stop these tw*ts is almost impossible. When you consider a fair few of these anti virus companies have been breached themselves there’s not much hope for the rest of us. On the plus side I expect HMG are hoovering up a lot of Ukrainian talent to work here in the UK for various agencies. They of course know probably more than anyone how the Russians work and have a history of penetrating their systems.

Jim
Jim
17 days ago

We should definitely be pumping even more of the defence budget into this to save other government departments and private companies from having to invest in decent cyber security. 🥴

I wonder if GCHQ could do outsourcing.

Mark B
Mark B
16 days ago
Reply to  Jim

Maybe try the National Cyber Security Centre ….

George Amery
George Amery
16 days ago

Hi folks hope all is well. Well I’m not surprised. Some of you may recall this happening to NHS England some years ago. Well before the NHS England attack, the NHS was warned to have firewalls built into their systems and processes. They didn’t and sat on their hands as usual. Now a similar issue again. Shameful, NHS is so lackadaisical. I used to work for the NHS many years ago and the waste was disgraceful. My wife used to work for the NHS many years after I had, and she told me if the same issues of waste and… Read more »

Dave Wolfy
Dave Wolfy
16 days ago

You get what you pay for.
I work for a police force, I do their network.
We have not been able to recruit for over ten years, the pay is dire.
We have to develop from within, once trained they clear off.

NHS pay is not that much better.

You get what you pay for.

Jacko
Jacko
16 days ago
Reply to  Dave Wolfy

Funny though isn’t it? There doesn’t seem to be many shortages in the ‘management’ level of the NHS! I wonder where a lot of the money is going🤔

Bringer of facts
Bringer of facts
16 days ago
Reply to  Dave Wolfy

And the fact that rolling out any changes across a system as large as the NHS takes time, so there is no quick fix to any problem.

And by the time you have finished rolling out changes to hardware / network / operating systems and applications you can bet that some part of the system has already become obsolete or vulnerable to security exploits, so the whole process starts again

Last edited 16 days ago by Bringer of facts
Dave Wolfy
Dave Wolfy
16 days ago

The NHS is not one place.
Each region does its own network for example.
There is not a standard across the whole of the NHS.

Bringer of facts
Bringer of facts
16 days ago
Reply to  Dave Wolfy

I know all that.

It is still a large job no matter how you break it down.

I have done some work for the civil service, and large private sector corporates, rolling out updates across large organisations is a never ending task.

Dave Wolfy
Dave Wolfy
15 days ago

Then you ought to know that bringing these large organisations up to scratch is not the big job, it is maintaining them.
Wages for technical staff in the public sector is dire.

Bringer of facts
Bringer of facts
15 days ago
Reply to  Dave Wolfy

Upgrades can fall under the task of maintenance, the term crosses over when you are dealing with software.

DJ
DJ
16 days ago

The world, including governments are rushing to go all digital. You don’t want to go digital, we will penalise you. Digital comes at a price. Most are looking at how much cheaper digital is. This assumes everything will run as it should. When it doesn’t, the price multiplies in more ways than one. All that data lost also leads to further prices being paid by others elsewhere. I predict it won’t be long and the insurance industry will pull the plug. Cheaper having 100,000 ton ships running into bridges. Can digital work? Sure. But not the way it is presently… Read more »

Mark B
Mark B
16 days ago
Reply to  DJ

I think the issue here is that the NHS has not fully embraced the modern world and is dragging it’s heals. It is perfectly possible to have excellent IT solutions saving people’s lives throughout the NHS. It is also perfectly possible to protect people’s data in such a way that it can only been seen by those who have a right to know or a need to know.

Mark B
Mark B
16 days ago

The state should protect the entire public sector and national companies large or small from this sort of threat. Everyone should know how to protect their data and have a duty to do so.

Gunbuster
Gunbuster
16 days ago

As I commented on the hellsite.

If NHS efficiency is involved and their own IT systems, the 3 Terabytes of data will involve the release of three people’s names…