NHS Dumfries and Galloway has apologised for the anxiety caused by the cyber attack last month.
In an update to concerned staff and patients, the health board this week stated that IT systems are running normally in the wake of what was a “focused and persistent attack”.
The statement continued: “A very large amount of patient and staff-identifiable data was accessed during the attack which began at the end of February.
“The scale and breadth of information which the cyber criminals were able to access makes it difficult to define the data which they may have been able to download, or to address this on an individual patient and staff member basis.
“No operations or appointments are identified as having had to be cancelled or postponed as a direct consequence of the attack. Instead, the immediate impact was primarily on staff working arrangements – as the response required some changes to their ways of working and led to limitations on how they access IT systems.”
They also added that the cyber criminals have so far published a ‘proof pack’ demonstrating that they possess stolen data.
The content related to six individual patients, who have all been contacted.
To date, NHS Dumfries and Galloway has received a relatively small number of approaches from members of the public, mainly focused on questions and concerns about emails or approaches they have received. None has so far proved to be related to the attack.
The statement read: “We encourage everyone to remain on their guard for anyone trying to access their data, or for approaches by anyone claiming to possess NHS data relating to them or anyone else. All such incidents should be reported to Police Scotland.
“A robust response has been mounted by the health board’s IT teams, working with advice provided by experts such as the National Cyber Security Centre.
“Actions have been taken to address any further risk of incursion and practical testing will shortly take place before consideration of any moves to lift remaining limitations on staff accessibility to IT systems.
“We are aware of expectations around transparency in relation to the cyber attack, but would highlight once again that this remains a live and very serious criminal matter, and a situation where ensuring the security of systems is paramount.
“NHS Dumfries and Galloway has been the victim of a very significant and determined cyber attack which has potential implications for the people who work for the board and those who are served by it.
“We are extremely sorry for the anxiety which has been caused, and have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies, and being very mindful of security considerations.”
