Sensitive records office data accessed in cyber attack on health board
NHS Dumfries and Galloway was targeted in March.
Your support helps us to tell the story
As your White House correspondent, I ask the tough questions and seek the answers that matter.
Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.
Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election
Andrew Feinberg
White House Correspondent
Sensitive data from Scotland’s national records office was among material accessed and published in a recent cyber attack on NHS computers, it has emerged.
Data from the National Records of Scotland (NRS), the body responsible for collecting and holding records and statistics in Scotland, was being held on the NHS Dumfries and Galloway IT network when it was targeted by a cyber attack in March 2024.
NRS said this included sensitive information about a small number of people that was being temporarily held on the network, and information from statutory births, deaths and marriages registers.
The NRS said it holds information on NHS IT networks as part of an administrative service to the NHS, to allow the transfer of patient records when people move between health board areas, across borders within the UK, or move overseas.
NRS chief executive Janet Egdell said: “We are aware that this will be distressing news for those individuals most directly affected.
“This is a live criminal investigation and we are working closely with NHS Dumfries and Galloway, Police Scotland, Scottish Government and other agencies involved in the inquiry.
“NRS takes cybersecurity and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”
NRS said it is writing to people who could be placed at risk of harm as a result of the information taken about them, which it said amounts to fewer than 50 individuals.
The NRS has opened a mailbox for inquiries from members of the public at cyberincident@nrscotland.gov.uk.
Members of the public are also encouraged to be on their guard for any unusual activity which might relate to this incident, including contact from anyone claiming to have their data. These incidents should be reported to Police Scotland by phoning 101.
Police said members of the public should not attempt to access or share any leaked data as they may be committing an offence under the Data Protection Act.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.