NHS warns 150,000 patients of blackmail risk

Daniel Sanderson

17 June 2024 at 1:48 pm·2-min read

NHS Dumfries and Galloway admits test results and complaints records are likely to have been stolen in a cyber attack

The NHS has warned nearly 150,000 patients that criminals could attempt to blackmail them after their health records were published online.

NHS Dumfries and Galloway is to send out leaflets to all patients in the region to advise them of the “extremely serious” situation, in which it admits test results, internal correspondence about them and complaints records are likely to have been stolen in a cyber attack.

The leak could leave patients open to extortion attempts from either the hackers or others who have viewed their NHS records online, the health board admitted.

A ransomware attack – in which criminals steal information and then threaten to publish it online unless they receive payment – hit the health board in February.

Data was then published in March on the dark web after the hackers’ demands were rejected.

The health board previously said that “hundreds if not thousands” of patients and staff may have been affected, but it is now feared that figure is far higher.

The leaflets will tell residents that the best approach is to assume that some data relating to them is likely to have been copied and published. Those deemed especially “high risk” are to be contacted individually.

In a message from Julie White, the health board’s chief executive, she said: “We are advising people in Dumfries and Galloway that the best approach to take is to assume that some data relating to you is likely to have been copied and published.

“This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else’s data.”

‘Threaten people’

She said it was an “acknowledged risk” that stolen data could be used to “exploit or threaten people”.

Anyone who is subjected to a blackmail threat is urged to contact Police Scotland.

The force is investigating the attack and NHS Dumfries and Galloway has said its computer systems are now secure.

The health board, which covers an area home to an estimated 149,000 people, has said that while criminals were able to copy information they had not changed patient records.

It admitted in May that some child mental health data had been published.

Colin Smyth, the Labour MSP for the South of Scotland, said: “It is clear that the scale of the leak and the number of people affected is significantly higher than was first envisaged

“It still remains unclear just exactly what has been leaked on each person, despite significant work by the NHS to work through millions of items.”

He said the only “saving grace” was that the data did not appear to have been used against anyone so far.