A ransomware group has carried out its threat against a Scottish health board and published a “large volume” of stolen data on the dark web.
NHS Dumfries and Galloway was the subject of a cyber attack in March and confirmed hackers were able to access a “significant quantity of data”, including patient and staff-identifiable information.
The cyber criminals later released a “proof pack” – which included confidential information on a small number of patients – and warned more would follow.
In an update on Monday, the health board confirmed a “large volume of data” had been published.
Julie White, chief executive of NHS Dumfries and Galloway, branded it an “utterly abhorrent criminal act”.
“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate,” she said.
“Work is beginning to take place with partner agencies to assess the data which has been published.”
The health board is working with Police Scotland, the National Cyber Security Centre and the Scottish government in response to the situation.
Ms White said NHS Dumfries and Galloway was “conscious” that the publication of the stolen data “may cause increased anxiety and concern for patients and staff”.
“Data accessed by the cyber criminals has now been published on to the dark web – which is not readily accessible to most people,” she added.
“Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”
The health board is urging the public to be alert for any attempts to access their work and personal data.
It also warned people to be vigilant about any potential approach by someone claiming to be in possession of either their personal data or NHS data – whether this approach comes by email, telephone, social media or some other means.
In all instances, people are advised to take down details about the approach and contact Police Scotland.
The Scottish government said it was aware of the latest development, adding: “It is important to note that the incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across NHS Scotland as a whole.”
Police Scotland said its “inquiries are continuing into a cyber attack on NHS Dumfries and Galloway”.
The health board has set up a dedicated webpage in response to the cyber attack, with a helpline available on 01387 216 777.