In a significant escalation of a previously disclosed cybersecurity threat, NHS Dumfries and Galloway has witnessed the full release of over 3 terabytes of confidential data on the dark web.
This follows a prior breach where cybercriminals issued a ‘proof pack’ to demonstrate their possession of the data, initially reported by the UK Defence Journal.
I spent much of this morning reviewing what has been released, and, quite frankly, it’s incredibly concerning. The breach involved the release of over 3 terabytes of highly sensitive information encompassing a broad spectrum of operational and personal data.
🚨 BREAKING – A huge volume of NHS staff and patient data has been published by a ransomware group. This follows a cyber attack on NHS Dumfries and Galloway. Earlier, a small amount of data relating was released in March, they have now released the entire 3TB. pic.twitter.com/eZSRvqEx4J
— George Allison (@geoallison) May 7, 2024
The leaked content includes extensive SQL database backups, which likely contain critical system and patient information. Various department-specific documents were also exposed, revealing potential details about patient treatments and diagnostics in areas such as biochemistry, cancer services, and accident and emergency departments.
Particularly alarming is the exposure of data related to children and vulnerable groups. Files from the Child and Adolescent Mental Health Services may include sensitive health information about minors, highlighting the severity of the breach in terms of potential harm to vulnerable populations. Additionally, resources used for creating communication aids, possibly for children with learning difficulties or communication impairments, were also leaked.
The breach extends into sensitive administrative areas as well, with substantial volumes of internal communications, human resources data, and even details from Freedom of Information requests being made public. This not only poses a risk to the privacy of staff members but also jeopardises the integrity of operational data, such as staff leave records.
Time we started weaning ourselves off all things Chinese, whilst there’s still time to do it gradually and not upset the global economy. You never know some of the muscles might even stop.
Maybe be government bodies should be connected to an intranet that is air gapped from the internet so that it cannot be hacked from state sponsored criminal gangs in Russia.
The NHS like all other public institutions relies on the internet just as much as any modern private business. Cutting off access won’t do anything to improve patient services.
What needs to happen is the government needs to provide the resources to provide the equipment and staffing necessary to adequately secure the systems in use.
Most NHS trusts rely on outdated firewalls and a single brow-beaten “IT Security” specialist who has to do everything from managing individual access rights to defending against state sponsored bad actors.
Perhaps the NHS should contract a private company to manage their cyber security. ooops sorry mention the P word and HNS is the same sentence.
You won’t find any argument from me there, something needs to change for any improvement to occur.
Whether it be paying a private company to do it in full, with severe penalties for failure or adequately resourcing the existing IT departments to provide the service. Something needs to change.
The NHS does use private contractors all the time…same one as the post office on a lot of things…the entire IT infrastructure is constructed by private businesses….you have to remember the NHS does not exist as an entity…it’s not a private or public sector organisation..it’s a construct..it’s actually around 50,000 organisations ( public owned, private profit making,social enterprises and charities) that all have the right via contract to us the NHS logo…they each contract their own IT infrastructure.. the only national control on this is a set of standards IT companies and systems must comply with.
Fujitsu?
The NHS is actually about 50,000 completely independent organisations…each with its own systems that in some way need to communicate with other systems.
Divide and conquer?
It’s never been what people thought it was…it’s always been a mixed private..public amalgamation or lots of different types of organisations…always makes me laugh when people call the NHS a public sector organisation..its not it’s a system of different organisations that the government purchases healthcare from on behalf of the population…always been based around contracts..it’s just some of the organisations that the NHS contract to are own by the public and held in trust…the vast bulk of NHS healthcare provision has always been provided by private providers ….pharmacies, GP practices, dentists, optometrists, out of hours services..infact the only services that… Read more »
NHS is a brand. That’s what IBM became.
Great…public sector IT strikes again. If you create bureaucracies full of middle managers all squawking away about their own parochial nonsense then important things tend to get overlooked or if they are lucky enough to be noticed then there never is enough funding or organisational energy to deal with it timeously.
The only answer to bad practise in information technology are regular audits and career ending consequence for budget holders who refuse to take action.
I would think the NHS is non unfamilair with audits😀, but actualy firing someone. In all my years and its quite a few I have never met a public sector employee who was fired or dismissed.
Clinical Audits, yes.
Financial Audits, definitely.
I.T.Security Audits, hmm..
As a person who had a job in looking for failure in both staff and contracted companies in the NHS..I assure you we end contracts, both individually and corporate…we also follow up and essentially make sure they never work in the industry again if we think they have crossed a line as well as ensure they loss their licence or are prosecuted…if the NHS thinks you’ve crossed a line loss if your contract is generally the lest of your worries….once the NHS gets going it can be evangelical in its approach to discipline( essential with patient facing clinical staff) the… Read more »
It’s the last sentence of your message that’s the problem.
There are loads of examples of low level public sector IT people being sacked for failings, which usually occured because they were expected to perform tasks significantly above their pay scale/level of experience. I experienced this very issue myself in my early career when I worked for one of the largest NHS trusts in the country.
On the other hand, the budget holder/finance officer who refused time and time again to allocate the appropriate resources, despite repeated warnings about the consequences, almost always walks away scott free.
Chris, I’ve experience working in both public and private sectors. I also have friends working in NHS IT. In the Financial Sector you are audited regularly and failing an audit is a big deal. You could not only be heavily fined the regulator could also remove your license to operate. So audit failures automatically gain the attention of the CEO and usually go straight onto the business Risk Register. A Risk Register which is itself audited. The last thing in the world a business unit leader wants is to draw that sort of career ending attention. Audits are treated exceptionally… Read more »
I agree the issue is unfortunately money money money and where you put your resources…the NHS always has to look in year and if your PAS system needs updating..but the procurements costing you a million quid and your orthopaedic waits are over 18 weeks and the only way to get them in line is to spend a million quid on fast track private ortho…then you spend the money on the ortho capacity….it’s a simple truth money on the IT infrastructure is money that is not going into direct patient care….yes we know IT can support changes in practice and effectiveness…but… Read more »
Where is GCHQ expertise and support when a critical government department needs it.
Of course the health board can’t afford to have World class skills and experience on hand permanently but surely any major change requires the security to be audited before it can go live.
Database backups are routine so must always be kept safe. Operations 101.
Unencrypted, SQL backups? Somebody needs firing.
I know this is bizarrely wrong. Either somebody has got hold of unencrypted backup media or has gained access to a file share which contains SQL backups. These are novice level errors. Can you imagine what else is wrong at this datacenter?
I think this Health Authority has Financial problems which is probably the root cause. However the solution to these problems is not to take money away from securing your IT systems.
Come on George, would you like to explain it to us, please? Was that data encrypted? If not, then why not? I appreciate that it costs money (computer power) to run full encryption, but surely any sensitive data held in any database these days should be encrypted? The technology and decent systems techs are there to make it damned difficult to get the data out and lots of power required to run decryption if it should escape. Surely the NHS/Admins are at fault here for holding such data in so easily accessible format in SQL/MySQL? presumably also on a leaky… Read more »