Data breached at Scottish NHS board

Attackers could have acquired a 'significant quantity' of data

A "focused and ongoing" cyber attack has disrupted services and may have compromised patient data at one of Scotland's 14 NHS regions.

NHS Dumfries and Galloway, serving the Dumfries and Galloway region in southern Scotland, says it has been the target of a "focused and ongoing" cyber attack.

The board says it is working with Police Scotland, the National Cyber Security Centre (NCSC) and the Scottish government to handle the fallout, although added that its response was "swift" and "in line with our established protocols."

It has warned that services may be disrupted during the attack - and, more, that the hackers may have been able to acquire "a significant quantity of data."

On a new webpage dedicated to the attack, the NHS board says it is working to determine exactly what data might have been accessed, but added, "we have reason to believe that this could include patient-identifiable and staff-identifiable data."

To fine or not to fine?

If data that could identify patients and staff has indeed been lost in the NHS Dumfries and Galloway attack, the region could find itself facing punitive action from the Information Commissioner's Office.

Fines for personal data breaches can reach 4% of annual turnover, although the case is slightly different for the public sector.

In 2022, the ICO set out a new approach to punitive action against public sector bodies, which covers warnings, reprimands and enforcement notices. Fines are a last resort, for the simple reason that a public body paying the ICO just circulates money within government.

What happens if it's ransomware?

There has been no indication what type of attack this is at present, although we know there been a targeted attack rather than an accidental breach. What is not clear is if ransomware is involved, and what the health board will do if it is.

NCSC guidance is that ransoms should not be paid under any circumstances, especially in the public sector. While this isn't law, the former head of the NCSC urged the government to legislate on the matter earlier this month.

Paying ransoms may (or may not - these are criminals, after all) get you up and running again. It also funds future attacks on other organisations, or perhaps repeat attacks on your own business if hackers know you're willing to put your hand in your pocket.

The British Library, which was breached last autumn, followed the NCSC's recommendations and refused to engage with its attackers. It is, unfortunately, still working to recover everything it lost in the attack. Can an NHS board afford to wait that long?

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.