The NHS Dumfries and Galloway health board revealed last week it had fallen victim to a “focused and ongoing cyber attack” that seriously disrupted systems.
The incident, first announced on 15 March, may have resulted in hackers acquiring a “significant quantity” of patient and staff data, according to the alert.
NHS Dumfries and Galloway said it is working with Police Scotland, the National Cyber Security Centre (NCSC), and the Scottish Government to handle the sustained attack on its IT systems.
These agencies are currently investigating what data could have been accessed, but the board stated the exfiltrated data could include patient-identifiable and staff-identifiable data, describing the breach as “an incredibly serious matter”.
NHS Dumfries and Galloway serves a population of around 140,000 people in Scotland's south-west region across 50 bases, and employs approximately 4,500 staff.
The board warned there may be disruptions to services as a result of the incident, urging NHS staff and members of the public to be wary of further attacks, as well as extortion attempts.
“We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.”
In the event of observing instances of suspicious activity such as those outlined above, members of the public are encouraged to contact Police Scotland.
Healthcare sector struggling to stay on top of string of cyber attacks
Another Scottish health board, NHS Fife, was the subject of a cyber incident in February 2023.
An ICO investigation into the breach, published in November 2023, found an unauthorized person was able to access a hospital ward without presenting ID verification.
Once the individual was on the ward they were passed documents confirming personal information belonging to 14 people, and even assisted in administering care to one patient, according to the investigation.
The individual was able to leave the site with the personal information, which had not been recovered at the time of the investigation.
More recent notable cyber incidents affecting the healthcare sector include attacks on two of France’s largest healthcare payment service providers Viamedis and Almerys.
The attack occurred in February 2024, and involved stolen data that contained sensitive information of 33 million people.
This included personal information such as marital status, date of birth, social security number, guarantor, and guarantees of their contract.
Get insight into how the cyber threat landscape is evolving within the public sector
US medical services were also seriously impacted by a cyber attack on Change Healthcare, a technology company whose systems are used by hospitals and pharmacies across the country.
On 21 February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, disclosed it had suffered a major breach causing major delays to prescription services.
The company’s filing with the US Securities and Exchange Commission (SEC) on 27 February stated the group responsible for the attack are nation-state backed threat actors.
The attack sparked action from US agencies warning companies in the healthcare sector to allocate more resources towards bolstering their cyber resilience.
The FBI, CISA, and Department of Health and Human Services updated their #StopRansomware joint advisory to reflect the elevated threat levels facing the healthcare sector.
The advisory urged healthcare companies to be serious about an increasingly hostile threat landscape particularly focused on critical national infrastructure organizations, such as healthcare services companies.
