In a significant escalation of a previously disclosed cybersecurity threat, NHS Dumfries and Galloway has witnessed the full release of over 3 terabytes of confidential data on the dark web.

This follows a prior breach where cybercriminals issued a ‘proof pack’ to demonstrate their possession of the data, initially reported by the UK Defence Journal.

I spent much of this morning reviewing what has been released, and, quite frankly, it’s incredibly concerning. The breach involved the release of over 3 terabytes of highly sensitive information encompassing a broad spectrum of operational and personal data.

The leaked content includes extensive SQL database backups, which likely contain critical system and patient information. Various department-specific documents were also exposed, revealing potential details about patient treatments and diagnostics in areas such as biochemistry, cancer services, and accident and emergency departments.

Particularly alarming is the exposure of data related to children and vulnerable groups. Files from the Child and Adolescent Mental Health Services may include sensitive health information about minors, highlighting the severity of the breach in terms of potential harm to vulnerable populations. Additionally, resources used for creating communication aids, possibly for children with learning difficulties or communication impairments, were also leaked.

The breach extends into sensitive administrative areas as well, with substantial volumes of internal communications, human resources data, and even details from Freedom of Information requests being made public. This not only poses a risk to the privacy of staff members but also jeopardises the integrity of operational data, such as staff leave records.

NHS Dumfries and Galloway Chief Executive Julie White said:
“This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data. We should not be surprised at this outcome, as this is in line with the way these criminal groups operate. Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”
Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website now available. Data accessed by the cyber criminals has now been published onto the dark web – which is not readily accessible to most people. Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”
George Allison
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. George is on Twitter at @geoallison

22 COMMENTS

  1. Time we started weaning ourselves off all things Chinese, whilst there’s still time to do it gradually and not upset the global economy. You never know some of the muscles might even stop.

  2. Maybe be government bodies should be connected to an intranet that is air gapped from the internet so that it cannot be hacked from state sponsored criminal gangs in Russia.

    • The NHS like all other public institutions relies on the internet just as much as any modern private business. Cutting off access won’t do anything to improve patient services.

      What needs to happen is the government needs to provide the resources to provide the equipment and staffing necessary to adequately secure the systems in use.

      Most NHS trusts rely on outdated firewalls and a single brow-beaten “IT Security” specialist who has to do everything from managing individual access rights to defending against state sponsored bad actors.

      • Perhaps the NHS should contract a private company to manage their cyber security. ooops sorry mention the P word and HNS is the same sentence.

        • You won’t find any argument from me there, something needs to change for any improvement to occur.

          Whether it be paying a private company to do it in full, with severe penalties for failure or adequately resourcing the existing IT departments to provide the service. Something needs to change.

        • The NHS does use private contractors all the time…same one as the post office on a lot of things…the entire IT infrastructure is constructed by private businesses….you have to remember the NHS does not exist as an entity…it’s not a private or public sector organisation..it’s a construct..it’s actually around 50,000 organisations ( public owned, private profit making,social enterprises and charities) that all have the right via contract to us the NHS logo…they each contract their own IT infrastructure.. the only national control on this is a set of standards IT companies and systems must comply with.

    • The NHS is actually about 50,000 completely independent organisations…each with its own systems that in some way need to communicate with other systems.

        • It’s never been what people thought it was…it’s always been a mixed private..public amalgamation or lots of different types of organisations…always makes me laugh when people call the NHS a public sector organisation..its not it’s a system of different organisations that the government purchases healthcare from on behalf of the population…always been based around contracts..it’s just some of the organisations that the NHS contract to are own by the public and held in trust…the vast bulk of NHS healthcare provision has always been provided by private providers ….pharmacies, GP practices, dentists, optometrists, out of hours services..infact the only services that are publicly owned are the hospitals, community nursing service and that’s because you would never get the private sector to run a district general hospital ( we tried it once and the private sector organisations gave the contract and hospital back after a couple of years…they are loss making money pits unless you can charge 3-4 times what the government pays).

  3. Great…public sector IT strikes again. If you create bureaucracies full of middle managers all squawking away about their own parochial nonsense then important things tend to get overlooked or if they are lucky enough to be noticed then there never is enough funding or organisational energy to deal with it timeously.
    The only answer to bad practise in information technology are regular audits and career ending consequence for budget holders who refuse to take action.

    • I would think the NHS is non unfamilair with audits😀, but actualy firing someone. In all my years and its quite a few I have never met a public sector employee who was fired or dismissed.

      • As a person who had a job in looking for failure in both staff and contracted companies in the NHS..I assure you we end contracts, both individually and corporate…we also follow up and essentially make sure they never work in the industry again if we think they have crossed a line as well as ensure they loss their licence or are prosecuted…if the NHS thinks you’ve crossed a line loss if your contract is generally the lest of your worries….once the NHS gets going it can be evangelical in its approach to discipline( essential with patient facing clinical staff) the issue is it’s focus is on so many different things….and has to really consider is something worth the time and money.

    • It’s the last sentence of your message that’s the problem.

      There are loads of examples of low level public sector IT people being sacked for failings, which usually occured because they were expected to perform tasks significantly above their pay scale/level of experience. I experienced this very issue myself in my early career when I worked for one of the largest NHS trusts in the country.

      On the other hand, the budget holder/finance officer who refused time and time again to allocate the appropriate resources, despite repeated warnings about the consequences, almost always walks away scott free.

      • Chris, I’ve experience working in both public and private sectors. I also have friends working in NHS IT. In the Financial Sector you are audited regularly and failing an audit is a big deal. You could not only be heavily fined the regulator could also remove your license to operate. So audit failures automatically gain the attention of the CEO and usually go straight onto the business Risk Register. A Risk Register which is itself audited. The last thing in the world a business unit leader wants is to draw that sort of career ending attention. Audits are treated exceptionally seriously.

        My public sector experience is completely different. There tends to be an organisational torpor and a bias not to react to unexpected things. Irregular tick box type audits and infrequent meetings of the risk committee who just add things to the Risk Register list with very few actions resulting.

        The problem is twofold. Firstly there is a lack of stakes for the public sector executive team and secondly there is absence of budget to resolve any issues which are present.

        There’s also a tendency to outsource if they can but only because by doing so they get to transfer the risk to a 3rd party. Managing that 3rd party correctly is not something they do particularly well. Managing 3rd parties is a particular skillset. It’s an active not a passive activity. It’s a constant conversation and you have to keep pushing to keep the contractor focused on delivering a good service and not focused on squeezing the last penny out of the contract.

        I would agree with you that putting inexperienced in positions where they can make mistakes is not something they should be made accountable for. Instead I’m pointing my finger at executive committees which need to be forced to take information security\business continuity far more seriously than they do.

    • I agree the issue is unfortunately money money money and where you put your resources…the NHS always has to look in year and if your PAS system needs updating..but the procurements costing you a million quid and your orthopaedic waits are over 18 weeks and the only way to get them in line is to spend a million quid on fast track private ortho…then you spend the money on the ortho capacity….it’s a simple truth money on the IT infrastructure is money that is not going into direct patient care….yes we know IT can support changes in practice and effectiveness…but let’s be honest the NHS got burn a lot with IT companies promising everything and delivering crap all…the single patient record burnt 12billion quid before Fujitsu and others turned around and said..sorry it’s not possible…after saying it was and taking the cash ( I remember as I feed into the process saying it would not work ).

  4. Where is GCHQ expertise and support when a critical government department needs it.

    Of course the health board can’t afford to have World class skills and experience on hand permanently but surely any major change requires the security to be audited before it can go live.

    Database backups are routine so must always be kept safe. Operations 101.

    • I know this is bizarrely wrong. Either somebody has got hold of unencrypted backup media or has gained access to a file share which contains SQL backups. These are novice level errors. Can you imagine what else is wrong at this datacenter?
      I think this Health Authority has Financial problems which is probably the root cause. However the solution to these problems is not to take money away from securing your IT systems.

  5. Come on George, would you like to explain it to us, please? Was that data encrypted? If not, then why not? I appreciate that it costs money (computer power) to run full encryption, but surely any sensitive data held in any database these days should be encrypted? The technology and decent systems techs are there to make it damned difficult to get the data out and lots of power required to run decryption if it should escape. Surely the NHS/Admins are at fault here for holding such data in so easily accessible format in SQL/MySQL? presumably also on a leaky Windows server? I’m not calling SQL/MySQL here, both have superb facilities in place for protecting data, someone’s head should roll over this.

LEAVE A REPLY

Please enter your comment!
Please enter your name here