Ransomware group threatens to publish 3TB of stolen NHS Scotland data after posting proof of attack

NHS Scotland sign pictured at a vaccination center with nurse in scrubs walking by.
(Image credit: Getty Images)

A ransomware group says it holds 3TB of patient and staff information stolen from NHS Scotland’s internal systems, with a local health board confirming some of the stolen data has already been published.

NHS Scotland was identified by the Inc Ransom threat collective in a post on the group’s leaksite, providing a ‘proof pack’ that is said to include sensitive medical documents. The group is now threatening to publish the data if demands are not met.

NHS Dumfries and Galloway suffered a “focused and ongoing cyber attack” on 15 March 2024, with a “significant quantity” of patient and staff data stolen.

Ryan McConechy, CTO at Barrier Networks, said the attack bore the hallmarks of the Inc group.

“Inc has a history of attacking healthcare organizations, and most ransomware gangs avoid making false claims around victims as it tarnishes their reputation.”

“[The incident] will undoubtedly cause concern for many citizens in Dumfries and Galloway who are waiting to hear if they were impacted. Their personal data now potentially lies in the hands of bad actors, which could be used in financial and identity fraud.”

The health board has now confirmed that some of the data stolen during the incident has been published by a recognized ransomware group, indicating the Inc group was behind the 15 March attack.

In a post on its web page dedicated to providing updates on the incident, NHS Dumfries and Galloway’s chief executive Jeff Ace confirmed the data published by the group was stolen during the 15 March attack.

“We absolutely deplore the release of confidential patient data as part of this criminal act. This information has been released by hackers to evidence that this is in their possession.”

The breach underscores the elevated threat levels facing critical-national infrastructure organizations in the UK, according to McConechy, noting NHS Dumfries and Galloway is lucky its operations weren’t disrupted more severely.

“The incident once again acts as a reminder that criminals are using cyber to target the UK’s critical infrastructure more frequently today. Fortunately, NHS Dumfries and Galloway appears to be operating almost as normal following the attack, but others are not so lucky.”

Patients are still in the dark as to whether they are affected

Approximately 140,000 people rely on the 50 regional bases that make up NHS Dumfries and Galloway, as well as its 4,500 employees. 

After the incident was first disclosed on 15 March, the health board said it was working closely with Police Scotland, the National Cyber Security Centre (NCSC), and the Scottish Government.

McConechy explained cyber incident forensics is a lengthy process, and it could be some time before victims get any confirmation that their personal data was affected.

In an update posted to the support page, Jeff Ace said there was reason to believe the hackers accessed patient and staff-specific data.


“It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position”, Ace advised.

“However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.”

“We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.