The NHS have said that “small pieces of data” were stolen during a cyber attack in February – but urged that it remains a “serious matter”.
Cyber criminals were able to access data including patient and staff-identifiable information during the attack on NHS Dumfries and Galloway.
Data relating to a small number of patients was released in March, and the hackers had threatened that more would follow.
The health board has now said that the criminals accessed “small” pieces of data – ranging from letters from consultant to patients, test results and x-rays.
They also confirmed that the data accessed by the cyber criminals has been published onto the dark web – and has warned there is a risk of it being further accessed, duplicated or shared on the internet.
A spokesperson for the NHS said: “The cyber criminals did not access the primary records system for patients’ health information – which is the system used by GPs, and contains people’s entire medical history in one location. This is a separate system, and it was not accessed.
“Instead, what the cyber criminals were generally able to access was millions of very small, separate pieces of data – examples include individual letters from one consultant to a patient, letters from one consultant to another consultant, test results, x-rays, etc.
“Given that the stolen data has now been made public by the cyber criminals, there is now a risk of it being further accessed, duplicated or shared on the internet, and not just on the dark web.”
The NHS said they have been inundated with questions regarding why the people whose data has been published have not yet been contacted.
They said that identifying affected individuals was a “massive undertaking” and confirmed that communications regarding the matter will “remain general rather than person specific”.
The statement continued: “Unfortunately, compiling a list of people affected by the data publication is neither quick nor easy. This is because of the type and volume of data which was stolen.
“These are housed across a range of separate directories reflecting the very large and complex service structures of NHS Dumfries and Galloway.
“As you will appreciate, identifying the data which was taken, working through it to find identifiable individuals and then assembling all their data is a massive undertaking.
“Although progress is being made, it is for this reason that NHS Dumfries and Galloway has needed to prioritise this work – doing so on the basis of the ‘high-risk’ data which often relates to particularly vulnerable people.
“It is therefore likely that the majority of public communications will remain general rather than person specific. We continue to work closely with the Information Commissioner’s Office on this matter.”
A Police Scotland spokesman said: “Our specialist officers continue to investigate the ransomware attack on NHS Dumfries and Galloway and subsequent leak of confidential information by the criminals.
“Members of the public should not attempt to access or share any leaked data as you may be committing an offence under the Data Protection Act.
“Police Scotland is working with NHS Dumfries and Galloway and other partners, including the National Cyber Security Centre, the National Crime Agency and the Scottish Government, to provide relevant support and advice.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country