Ransomware group threatens to publish 3TB of stolen NHS Scotland data after posting proof of attack
NHS Dumfries and Galloway has confirmed some of the sensitive data stolen during the 15 March attack has been published by a known ransomware operator


A ransomware group says it holds 3TB of patient and staff information stolen from NHS Scotland’s internal systems, with a local health board confirming some of the stolen data has already been published.
NHS Scotland was identified by the Inc Ransom threat collective in a post on the group’s leaksite, providing a ‘proof pack’ that is said to include sensitive medical documents. The group is now threatening to publish the data if demands are not met.
NHS Dumfries and Galloway suffered a “focused and ongoing cyber attack” on 15 March 2024, with a “significant quantity” of patient and staff data stolen.
Ryan McConechy, CTO at Barrier Networks, said the attack bore the hallmarks of the Inc group.
“Inc has a history of attacking healthcare organizations, and most ransomware gangs avoid making false claims around victims as it tarnishes their reputation.”
“[The incident] will undoubtedly cause concern for many citizens in Dumfries and Galloway who are waiting to hear if they were impacted. Their personal data now potentially lies in the hands of bad actors, which could be used in financial and identity fraud.”
The health board has now confirmed that some of the data stolen during the incident has been published by a recognized ransomware group, indicating the Inc group was behind the 15 March attack.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In a post on its web page dedicated to providing updates on the incident, NHS Dumfries and Galloway’s chief executive Jeff Ace confirmed the data published by the group was stolen during the 15 March attack.
“We absolutely deplore the release of confidential patient data as part of this criminal act. This information has been released by hackers to evidence that this is in their possession.”
The breach underscores the elevated threat levels facing critical-national infrastructure organizations in the UK, according to McConechy, noting NHS Dumfries and Galloway is lucky its operations weren’t disrupted more severely.
“The incident once again acts as a reminder that criminals are using cyber to target the UK’s critical infrastructure more frequently today. Fortunately, NHS Dumfries and Galloway appears to be operating almost as normal following the attack, but others are not so lucky.”
Patients are still in the dark as to whether they are affected
Approximately 140,000 people rely on the 50 regional bases that make up NHS Dumfries and Galloway, as well as its 4,500 employees.
After the incident was first disclosed on 15 March, the health board said it was working closely with Police Scotland, the National Cyber Security Centre (NCSC), and the Scottish Government.
McConechy explained cyber incident forensics is a lengthy process, and it could be some time before victims get any confirmation that their personal data was affected.
In an update posted to the support page, Jeff Ace said there was reason to believe the hackers accessed patient and staff-specific data.
RELATED WHITEPAPER
“It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position”, Ace advised.
“However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.”
“We will look to update as and when we can, but in the meantime would again caution staff and patients to be on their guard for anyone accessing their systems, or anyone making contact with them claiming to be in possession of any information. Any such incidents should be reported immediately to Police Scotland on 101.”
Solomon Klappholz is a former Staff Writer at ITPro adn ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
NHS supplier hit with £3m fine for security failings that led to attack
News Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
By Emma Woollacott Published
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
By Nicole Kobie Published
-
Alder Hey Children’s Hospital confirms hackers gained access to patient data through digital gateway service
News Europe’s busiest children’s hospital confirmed attackers were able to steal data from a compromised digital gateway service
By Solomon Klappholz Published
-
Major incident declared as Merseyside hospitals hit by cyber attack
News The incident, which has led to cancelled appointments, is just the latest in a series of attacks on healthcare organizations
By Emma Woollacott Published
-
Thousands of procedures canceled at London hospitals as Qilin releases blood test data
News The attack on blood testing company Synnovis continues to affect patients, while the ransomware group follows through with its threats
By Emma Woollacott Published
-
Attack on third-party software vendor disrupts NHS ambulance services
News The ambulance services serve more than 10 million people across the south of England
By Ross Kelly Published
-
NHS data leak raises ‘serious questions’ about Manchester University cyber attack
News NHS patient data used for research purposes is believed to have been compromised in the June attack
By Ross Kelly Published
-
Cyber attack on software supplier causes "major outage" across the NHS
News Unconfirmed reports suggest the attack may be ransomware-related, while the NHS contends with disrupted services on the 111 non-emergency line
By Connor Jones Published