AT the start of this week NHS Dumfries and Galloway advised that patient and staff-identifiable data stolen during the cyber attack on NHS Dumfries and Galloway had been published.
Inevitably, questions have followed, and they now seek to provide further understanding and clarity.
A Spokesperson from NHS D&G Stated “A key question being posed is why the people whose data has been published have not yet been contacted.
Unfortunately, compiling a list of people affected by the data publication is neither quick nor easy. This is because of the type and volume of data which was stolen.
The cyber criminals did *not* access the primary records system for patients’ health information – which is the system used by GPs, and contains people’s entire medical history in one location. This is a separate system, and it was not accessed.
Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from one consultant to a patient, letters from one consultant to another consultant, test results, x-rays, etc.
These are housed across a range of separate directories reflecting the very large and complex service structures of NHS Dumfries and Galloway.
As you will appreciate, identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking.
Although progress is being made, it is for this reason that NHS Dumfries and Galloway has needed to prioritise this work – doing so on the basis of the ‘high-risk’ data which often relates to particularly vulnerable people.
It is therefore likely that the majority of public communications will remain general rather than person specific. We continue to work closely with the Information Commissioner’s Office on this matter.
Another question posed is how the cyber criminals were able to access the NHS Dumfries and Galloway systems.
Details of what took place around the cyber attack are the subject of a live criminal investigation and regarded by investigators as specialist knowledge. While stolen information has been made public, work has been undertaken with external experts to ensure that systems are as secure as possible.
Given that the stolen data has now been made public by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web.
As we have stated from the very beginning, this is a very serious matter. We do recognise the comments this week by the founding Chief Executive of the National Cyber Security Centre, Ciaran Martin, where he advises people not to panic, and points to previous experiences of health data breaches such as in Australia.
Nevertheless, as we have done throughout, we continue to ask people to be on their guard for any unusual activity which might relate to this incident – attempts to gain access to computers, suspicious emails, phone calls from people claiming to be in possession of their health data or any NHS data.
These incidents should be reported to Police Scotland by phoning 101.
Police Scotland continue to support us in the work responding to the cyber attack and the publication of the data, and they have produced the following statement which reflects that this is a matter being taken extremely seriously, the legal considerations, the work continuing to take place, and the range of agencies involved.
A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.
“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.
“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”
