Scots NHS patients' medical files on dark web after hackers leak stolen data
The private medical records of NHS patients can be found on the internet with just a few clicks of a mouse and basic internet knowledge.
And thousands more of these records could soon be published after a sinister hacking group stole a huge cache of documents from NHS Dumfries and Galloway last month.
The group, INC Ransom, took 3TB worth of data from the health board – the equivalent of 43million emails – and demanded cash to keep the information private.
The Sunday Mail easily accessed documents the cyber criminals released on the dark web to prove they had hacked the NHS system.
They detail some of the most personal information about six patients, including a disabled 10-year-old and an 81-year-old man.
Along with publishing patients’ names and dates of birth, the documents show their unique numeric identifier CHI numbers, home addresses and even one person’s personal email address.
They also include intimate details of people’s lives and medical histories, test results and private disclosures made to doctors about their conditions.
NHS Dumfries and Galloway admitted to the Sunday Mail that while these six patients have been notified, they don’t know how many more people’s information has been stolen or what files the hackers have.
Labour deputy leader Jackie Baillie called for Health Secretary Neil Gray to explain how the breach happened and what is being done to prevent it happening in other health boards.
She said: “It’s now clear that some of the most sensitive data imaginable is part of this leak but the SNP have stayed silent leaving patients alone with their fears. That is unacceptable.
“The Health Secretary must urgently come to parliament to outline what will be done to support the victims of this attack, what the risk is to other health boards and outline what steps he has taken to make sure it can’t be repeated.”
The size of the hack of stolen data suggests it is likely to cover thousands of people.
We are keeping the details of those affected vague and will not explain how we accessed the information.
Experts have warned that it could lead to a wave of fraud against those whose information has been compromised.
Professor Lynne Coventry, director of Abertay University’s cyber security research centre said: “Health records can be more valuable than financial records as they can often hold sensitive health information in addition to financial details.
“These records can be sold on the dark web and used to commit identity fraud, target spear phishing attacks at the patients, or potentially blackmail individuals.”
Professor Coventry said that any large organisation is at risk of being targeted, adding: “Hackers often target larger organisations on the basis of scale in the assumption that they may be able to afford a ransom demand.
“Similarly, they may target organisations which have a large amount of confidential data in the hope that they will pay to avoid impact on their staff or clients.”
A leading lawyer has called for the NHS to confirm exactly how many patients are affected and what has been compromised.
Patrick McGuire, partner at Thompsons solicitors, also warned that the NHS could have a massive legal bill as a result of the hack because anyone whose records have been stolen could sue.
He said: “The amount of information is enormous. This has to be one of the biggest data breaches in the NHS in Scotland, possibly in the whole of Scotland.
“It is going to find its way on to the dark web. It’s very personal information so you can understand the level of concern by people affected. They’re going to be upset and traumatised.
“The NHS appears not to have contacted anyone other than those whose data was already published. It’s imperative they find out exactly whose information has been stolen and notify everyone.
“There is a very real probability that people whose information has been taken will seek financial redress, and legally there is a high bar to meet when it comes to defending any claims like this.”
Scots Tory health spokesman Dr Sandesh Gulhane said: “As Health Secretary, it’s Neil Gray’s duty to explain to patients how this attack has impacted them, what harms have been caused, what action is being taken to allay fears and whether any other health boards are at risk of this type of sinister attack.
“People have a right to know definitively whether their personal details have been obtained by hackers.”
NHS Dumfries and Galloway said: “The scale and breadth of information which the cyber criminal were able to access makes it difficult to define the data which they may have been able to download, or to address this on an individual basis.
“All six patients whose data was featured within the proof pack published by the cyber criminals were contacted promptly.”
A spokesman for the Information Commissioner’s Office said: “NHS Scotland has made us aware of an incident and we are assessing the information provided.”
Police Scotland said: “Enquiries are ongoing.”
Don't miss the latest news from around Scotland and beyond - Sign up to our daily newsletter here.