The chief exec at NHS Dumfries and Galloway will write to thousands of folks in the Scottish region whose data was stolen by criminals, admitting the lot of it was published after the trust did not give in to the miscreants' demands.

Residents of Dumfries and Galloway in Scotland will soon be receiving a letter from the CEO of the regional National Health Service org explaining in full the February cyberattack that may affect them.

Draft copies of the letters to be sent this week were posted on NHS Dumfries and Galloway's website on Monday. It explains in plain terms what happened, what the attack means for residents, and how to stay safe online in the wake of the incident.

"In February this year, NHS Dumfries and Galloway was the victim of a targeted attack by cybercriminals," said Julie White, chief exec at NHS Dumfries and Galloway, in the letter [PDF]. "This did not interrupt the care provided to patients, and no data on our systems was deleted or changed. However, the criminals were able to access and copy large amounts of patient and staff-identifiable data.

"When their demands weren't met, they published the stolen files onto the internet on May 6, 2024. We are advising people in Dumfries and Galloway that the best approach to take is to assume that some data relating to you is likely to have been copied and published.

"This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else's data."

White went on to say that because millions of files were copied, analyzing them all has been challenging, thus analysis efforts have prioritized the most vulnerable patients.

Those considered to be both affected by the breach and one of the high-risk data subjects - generally this refers to the most vulnerable patients - will be contacted directly and separately from the generalized letters going out this week.

White said the four main risks people in the region must be aware of are identity theft, the cybersecurity of their devices (mainly phishing attempts), extortion, and the mental health ramifications of the breach.

Without explicitly naming the organizations at the center of the incident, she cited 2022's Medibank attack in Australia as a similar example of what unraveled in southern Scotland this year.

Medical records belonging to more than 10 million people were stolen by the former ransomware juggernaut REvil, White said, but the insurer refused to pay its ransom demand. Australia fingered Russian national Aleksandr Ermakov for carrying out the attack and plonked him on its sanctions list for good measure.

White said the "sheer scale" of the Medibank incident limited its overall impact on those it affected, and that one cybersecurity expert working alongside the NHS has suggested the same could be said for Dumfries and Galloway's attack in an apparent attempt to quell residents' nerves.

The CEO closed the letter by saying: "On behalf of NHS Dumfries and Galloway, I would like to apologize for the anxiety which may have been caused to you due to this situation. We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies."

Overleaf is a more easily digestible summary [PDF] of the letter's contents, complete with a frequently asked questions section which does a solid job of explaining the facts of the attack.

None of the information is new - it has all been previously reported - but it does a good job of putting all the details, the most important of which were dispersed over multiple weeks. ®

https://www.theregister.com//2024/06/18/nhs_dumfries_and_galloway_letter/