Scottish health board hit by huge cyber attack with ‘significant quantity’ of data at risk

In a statement posted to its website on Friday, the board said the attack was “focused and ongoing” and the files accessed could include “patient-identifiable and staff-identifiable data”, with NHS workers and the public encouraged to “be on their guard”.

The nature of the attack is unclear, but health secretary Neil Gray said the Scottish Government was offering support to the board.

The health board’s statement said: “NHS Dumfries and Galloway has been the target of a focused and ongoing cyber attack. This prompted a swift response in line with our established protocols, working with partner agencies including Police Scotland, the National Cyber Security Agency and the Scottish Government.

“There may be some disruption to services as a result of this situation. During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data.

“Work is continuing together with cyber security agencies to investigate what data may have been accessed, but we have reason to believe that this could include patient-identifiable and staff-identifiable data.

“Breach of confidential data is an incredibly serious matter. We are encouraging everyone, staff and public, to be on their guard for any attempt to access their systems or approaches from anyone claiming to be in possession of data relating to them.”

Police Scotland confirmed the attack had taken place.

Mr Gray said: “I am aware that NHS Dumfries and Galloway has been affected by an ongoing cyber attack. Scottish Government officials have been in close contact with the board, Police Scotland and other partners. including the National Crime Agency and NHS National Services Scotland (NSS).

“There are well established procedures for dealing with a situation of this kind. We are providing assistance and support to NHS Dumfries and Galloway as they handle this incident, and NHS NSS is engaging with the rest of NHS Scotland and providing updates as necessary.”

A spokeswoman from the National Cyber Security Centre said: “We are working with law enforcement, NHS Scotland and the Scottish Government to fully understand the impact of an incident.”

It is not the first time a major Scottish public agency has been targeted by a cyber attack.

Data was stolen from the Scottish Environment Protection Agency (SEPA) in a “sophisticated” cyber attack in 2021. Around 1.2 GB of data, amounting to at least 4,000 files, was stolen, with some of the data then published online.

SEPA said at the time the stolen data was primarily related to business dealings, including its work with international partners and corporate plans.

In a separate incident, police were called in to investigate a suspected cyberattack on local authority Comhairle nan Eilean Siar in November last year that caused “significant disruption”, including the disruption of benefits payments.

The council said at the time the impact to IT systems also meant invoices due to creditors could not be paid.