Hacker in front of screen showing NHS Scotland stolen data

Hacker Group Publishes NHS Scotland’s Stolen Data and Threatened to Dump Entire 3 TB Unless Paid

Hackers who breached NHS Dumfries and Galloway have threatened to release 3TB of stolen data from NHS Scotland, raising the stakes of the March 2024 cyber attack.

NHS Dumfries and Galloway is an NHS board in one of the NHS Scotland’s 14 regions. It provides healthcare services to about 150,000 people and has a workforce of about 4,000.

On March 15, 2024, NHS Dumfries and Galloway said it experienced an “ongoing cyber attack” that leaked significant employee and patient data. Inc Ransom claimed responsibility for that cyber attack.

NHS Scotland’s stolen data published on the dark web

The Inc Ransom cybercrime gang added NHS Scotland to its dark web data leak site and alleged it stole 3TB of sensitive information.

The group also provided a “proof pack” of the allegedly stolen data, which included screenshots of medical records. Some of the stolen data dates back to 2019, suggesting it was less valuable than the hacking group suggested.

However, the ransomware gang has threatened to dump the entire trove online if a ransom is not paid. Although the cyber group did not provide a timeline for leaking the stolen data, it usually gives a 72-hour deadline to pay up.

“3 terabytes of data will be published soon,” Inc Ransom said. “NHS Scotland currently employs approximately 140,000 staff who work across 14 territorial NHS Boards, seven Special NHS Boards and one public health body.”

Without attributing Inc Ransom, NHS Dumfries and Galloway acknowledged a data leak that apparently affected only a “small number of patients” and was carried out by a “recognized ransomware group.”

In a statement shared online, NHS chief executive Jeff Ace said, “We absolutely deplore the release of confidential patient data as part of this criminal act.”

NHS Dumfries and Galloway said it was working with relevant Scottish and national authorities to respond to the cyber incident and assess the “consequences of the incursion into NHS systems.”

“This information has been released by hackers to evidence that this is in their possession. We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish government and other agencies in response to this developing situation,” said NHS.

Scottish First Minister Humza Yousaf said the government takes “cyber security very seriously” and would “continue to invest in cyber security.” Many healthcare bodies grapple with inadequate cybersecurity investment, making them particularly vulnerable to cyber-attacks.

Without explaining the steps his government would take, he also promised to do everything to stop the stolen data from being published.

Release of stolen data can have lasting impact

Most governments discourage ransom payments to avoid incentivizing cybercrime but advise victims to prioritize their customers’ and business partners’ best interests.

“This is why enacting legislation that would flatly ban payment of ransom is highly undesirable and can cause more harm than good,” said Dr. Ilia Kolochenko, CEO at ImmuniWeb. “Whilst I share the FBI’s firm position that payment of ransom subsidizes cybercrime and provokes new cyberattacks, there are cases when an isolated payment of ransom will be the lesser of all evils.”

He noted that the risk of exposing sensitive health information could justify paying the ransom even if recovering the stolen data was not guaranteed.

“For instance, if an HIV status, sexual health or terminal cancer diagnosis is publicly revealed, it can ruin people’s careers or even provoke suicide. Under such extreme pressure, payment of ransom may be well justified. Having said this, payment will, of course, not guarantee that the data will never be leaked elsewhere, but it will at least reduce such risk,” said Kolochenko.

Meanwhile, the NHS Scotland regional board also said it understands the lasting impact of leaking the stolen data and promised to contact the impacted individuals.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population,” said NHS.

“While it is unclear how many individuals are impacted by the attack and what kind of sensitive medical data has been stolen, the mere size of the dump implies quite catastrophic and unrepairable damage to some individuals,” Kolochenko said.

The NHS Scotland regional board also said that patient-facing services no longer faced disruptions due to the cyber incident and continued to operate normally.

Similarly, the Scottish government confirmed that the cyber attack was confined to NHS Dumfries and Galloway, and no further incidents were reported across NHS Scotland.

Since it emerged in July 2023, Inc. Ransom has indiscriminately victimized dozens of organizations, including healthcare institutions.

The group gains initial access using phishing emails and leveraging software vulnerabilities such as Citrix NetScaler CVE-2023-3519. It uses a TOR-based portal to communicate with its victims and track payments using unique personal IDs.