X-RAY results, lab tests and clinic letters are among the stolen NHS data published on the dark web this week.
The patient and staff information, said to number 90 folders, was released by a ransomware group following their cyber attack on NHS Dumfries and Galloway in February.
Health bosses were told of the latest move by police on Monday afternoon.
But they still have not contacted affected patients – or explained how their systems were able to be violated in the first place.
In a initial statement that night, NHS Dumfries and Galloway chief executive Julie White said: “This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data.
“We should not be surprised at this outcome, as this is in line with the way these criminal groups operate.
“Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”
She then put out a video on social media yesterday, in which she added: “Due to the scale we are unable at this time to contact individual patients regarding this data breach.
“We are working through a process of prioritising those people we consider to be at greatest risk from the data breach and as soon as we have further information we will make contact with those individuals.”
Mrs White went on: “The type of information that has been stolen includes things like letters between clinicians, appointment letters, outputs from clinics like lab results or xray results.
“What we’re fairly confident in at the moment though is that this information does not incude full patient records like the type that are held by GPs as they are held on a different clinical system.”
She offered assurances that they will contact people ‘wherever possible’, and that they will work to mitigate all risks.
Apologising to everyone that such
an incident had happened to NHS Dumfries and Galloway, Mrs White added: “We have been working with external organisations who are experts in this field to give us assurances that our systems are as secure as they possibly can be at this time in order to mitigate the risk of any further incursions. But we can never be 100 per cent sure of this, but we are confident that our systems are as secure as they can be at this stage.”
Meanwhile, in a bid to address widespread patient and staff anxiety about the hacking, a telephone helpline has been set up.
However, concerns remain that not enough information is being shared publicly.
South Scotland MSP Colin Smyth described the latest developments as “deeply worrying” and said: “There is nothing more sensitive than medical data and given that the perpetrators of this appalling crime will have been fully aware their ransom demands were never going to be met, it seems their motive is to cause damage and distress rather than any realistic expectation they will make money.
“I am pleased NHS Dumfries and Galloway have set up a telephone helpline, which I urged then to do, but it is vital that they outline how much data has been posted and contact as many of the affected patients as possible, in particular vulnerable patients.
“In the meantime, it is more important than ever that we all exercise the maximum vigilance and contact the police if anyone attempts to contact us and claims they have our data.“
Revealing that “91 folders have been published on the dark web”, Galloway and West Dumfries MSP Finlay Carson believes there are many unanswered questions and has raised the matter at Holyrood, asking how the NHS network was exploited and what is being done technically to ensure all systems are back online.
n Access the dedicated website at www.nhsdg.co.uk/cyberattack, and helpline on 01387 216 777.
