Ransomware group publishes stolen NHS Scotland data to dark web

NHS Scotland sign pictured at a vaccination center with nurse in scrubs walking by.
(Image credit: Getty Images)

The hacker group behind a ransomware attack on NHS Dumfries and Galloway has followed through on its threat to publish stolen data online, with authorities reporting that a “large volume” of sensitive information has been leaked. 

The health board first reported a cyber incident in March, with threat actors releasing a small amount of stolen data as proof of their attack. The full stolen dataset, believed to be around 3TB, included confidential information pertaining to both staff and patients.

According to the health board, the full dossier of stolen data has now been published to the dark web.

Julie White, chief executive of NHS Dumfries and Galloway, described the cyber attack as an “utterly abhorrent criminal act” and said the health board is coordinating with authorities to support those affected.

“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate,” she said. “Data accessed by the cyber criminals has now been published onto the dark web – which is not readily accessible to most people.

“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”

The health board advised patients and staff to remain vigilant of potential attempts to “access their work and personal data,” and said those approached by anyone claiming to possess stolen personal data should contact the police.

What happened with the NHS Dumfries and Galloway attack?

NHS Dumfries and Galloway revealed it had suffered a “focused and ongoing cyber attack” on 15 March 2024 and that a “significant quantity” of patient and staff data had been accessed. 

Ryan McConechy, CTO at Barrier Networks, told ITPro at the time that the incident bore all the hallmarks of the Inc Ransomware group, which has frequently targeted public services and healthcare organizations.

“Inc has a history of attacking healthcare organizations, and most ransomware gangs avoid making false claims around victims as it tarnishes their reputation,” he said.

Inc is a relative newcomer to the cyber extortion landscape, but has claimed several victims across the UK in recent months.


A whitepaper from Telefonica Tech on how to revolutionize care with their EPR experts

(Image credit: Telefonica Tech)

Improve patient experience

In late March, the group claimed responsibility for an attack on Leicester City Council which severely disrupted services at the local authority.

That incident marked the second attack by the group within a matter of weeks. Once again, Inc ‘flashed’ details of the incident on its leak site, claiming to have stolen 3TB of sensitive data from internal systems.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.