cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

INC Ransom claims ransomware attack on NHS Scotland

The ransomware gang threatens to publish three terabytes of data, including confidential patient records.

user icon David Hollingworth
Wed, 27 Mar 2024
INC RANSOM claims ransomware attack on NHS Scotland
expand image

The INC Ransom ransomware gang has posted details of a recent attack on NHS Scotland and threatened to publish three terabytes of stolen data “soon”.

The gang also posted several letters and other medical reports by way of proof of the attack.

Included in the “proof pack” are biochemistry reports, letters between doctors regarding patient treatments, genetics reports, and patient psychological reports. The documents include names, addresses, and very personal medical details.


INC Ransom’s post was made on 26 March and no hard deadline has been given nor a ransom demand.

While the ransomware gang claims the victim of the hack is NHS Scotland, NHS Dumfries and Galloway – one of 14 regions administered by NHS Scotland – reported a cyber incident on 15 March, warning that “there is a risk that hackers have been able to acquire a significant quantity of data”. Many of the documents in INC Ransom’s proof pack appear to be from that region.

On 19 March, NHS Dumfries and Galloway chief executive Jeff Ace released a further statement.

“As you would expect, this has been viewed as an extremely serious matter demanding a major response,” Ace said.

“Over recent days we’ve been very busy working with partner agencies to ensure the security of our systems, to adapt to the associated disruption, and to assess the potential risk posed by the hackers’ ability to access data.

“It must be noted that this is a live criminal investigation, and we are very limited in what we can say. In addition, a great deal of work is required in order to say with assurance what data may have been obtained, and we are not yet in that position.

“However, as it has been noted, there is reason to believe that those responsible may have acquired patient and staff-specific data.

“The NHS board views patient and staff confidentiality as a key priority, along with ensuring welfare and wellbeing. As such, very great effort is being made to address this situation, and to try to prevent it from being repeated.

“We will look to update as and when we can, but in the meantime, would again caution staff and patients to be on their guard for anyone accessing their systems or anyone making contact with them claiming to be in possession of any information.”

It is unknown for certain if the two incidents are related, but the patient data leaked by INC Ransom would appear to suggest a clear link.

NHS Dumfries and Galloway covers 11 hospitals, employs more than 3,800 people, and supports a region the south of Scotland with a population of 148,500.

When asked about the INC Ransom claims, NHS Dumfries and Galloway chief executive Jeff Ace said that he was aware of the claim.

“We absolutely deplore the release of confidential patient data as part of this criminal act," Ace said in a statement shared with Cyber Daily via email.

“This information has been released by hackers to evidence that this is in their possession.

“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government and other agencies in response to this developing situation.

“Patient-facing services continue to function effectively as normal.

“As part of this response, we will be making contact with any patients whose data has been leaked at this point.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

UPDATE 28/03/24: Additional commentary from Jeff Ace added

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.