Pensioners blast NHS chiefs after private records leaked by cyber criminals and nobody told them

A pensioner couple have blasted NHS chiefs for failing to tell them their most intimate medical details have been leaked online.

Fiona and Owens Elliott from Dumfries were horrified to discover that they were among tens of thousands of people whose health records had been stolen by hackers and released on the dark web last week.

The grandparents said they’d heard nothing from NHS Dumfries and Galloway about the theft and only discovered they were involved after the Sunday Mail told them.

In March NHS Dumfries and Galloway confirmed it had been targeted by hacking group Inc Ransom which was demanding payment to keep the stolen documents secret.

A police investigation is still ongoing but the criminals published 3TB of documents - around 43million emails’ worth - on Monday after the health board failed to pay.

Thousands of patients’ details, including their names, addresses and sensitive medical conditions have been released and hundreds of people have downloaded the stolen files.

Confidential documents relating to health board management have also been published as well as clinical photographs, information about staff members and private correspondence.

Despite the data being released last week the Sunday Mail spoke to five victims who had no idea their details were involved until we showed them what had happened.

None of them had been contacted by the health board and they were now worried about being targeted by scammers.

Owens, 69, said: “I never thought something like this could happen to us.

“We’d seen the news about the data being stolen but never in a million years did we think our own information was part of that.

“It’s an absolute disgrace that nobody has contacted us about it. It should be a priority. I’ll need to watch now what phone calls and things I’m getting if people have my information.”

Wife Fiona, 66, said: “It makes me worried, yes. What can people do with this kind of information and why did it happen to us?

“We were up at the hospital with our daughter the other day and nobody mentioned a thing. You’d think they’d phone us and tell us what to do.”

Julie Hogg, a housewife from Dumfries, has also had private details about her medical care released online by the hackers but had no idea until the Sunday Mail told her.

After viewing the leaked documents, Julie, 51, said they contained “things I wouldn’t even talk to my friends or family about”.

The mum-of-two said: “It’s really shocking actually.

“There’s stuff in there that even my family doesn’t know. Plus all my personal information. It’s a lot to take in.

“I’m glad you’re doing your job and investigating this but I’m also angry I’ve not been told a thing by the health board.

“The government’s barely said anything about this. If it was John Swinney’s personal details I’m sure they’d be much quicker in doing something. There’s absolutely no urgency at all.”

NHS Dumfries and Galloway said it has set up a helpline for people affected, but Julie said: “The helpline is not much use if you don’t even know that your information has been stolen.”

Scottish Labour Health spokeswoman Jackie Baillie said: “It is shocking that patients have been left in dark about this data breach.

“This scandal must be causing patients a huge amount of anxiety and distress, and clear communication from the Health Board and the SNP government is the least they should expect.

“The SNP must work with the Health Board to ensure patients are contacted, as well as working to ensure public services are better protected against the threat of cyberattacks.”

NHS Dumfries and Galloway said in a statement on Friday that the process of finding out whose data had been leaked was “neither quick nor easy...because of the type and volume of data which was stolen.”

They confirmed that full medical records had not been stolen but hackers accessed “millions of very small, separate pieces of data”.

It said: “Identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking.

“Four days on from stolen data being published, we expect shortly to have identified high-risk patients and initiated contact.

“It is however likely that the majority of public communications will remain general rather than person specific, and we continue to work closely with the Information Commissioner’s Office on this matter.

“No interaction has been entered into with those responsible for the cyber attack.”

Scottish Government repeated the NHS's statement but didn't address the calls from victims for more action from ministers.

Don't miss the latest news from around Scotland and beyond - Sign up to our daily newsletter here.