NHS Dumfries and Galloway, a Scottish healthcare provider, fell victim to a significant ransomware attack led by the group known as INC Ransom. This incident, which unfolded in March 2024, led to the theft of three terabytes of sensitive data, including confidential patient and staff information. The data stolen includes a variety of medical documents such as biochemistry and genetics reports, and other sensitive personal details​ (nhsdg)​​ (Digital Health)​​ (Enterprise Technology News and Analysis)​.

Data Leaked: The hackers have released what they refer to as a “proof pack,” showcasing snippets of the data breach. This includes documents dated as recent as 2019, covering discussions between healthcare professionals about patient care, and other sensitive information​ (techcodex)​. As of now, the data released covers a small number of patients but includes highly sensitive information, sparking widespread concern and heightened vigilance advised by NHS Dumfries and Galloway officials​ (nhsdg)​​ (Digital Health)​.

Threat Actor Profile: INC Ransom is a relatively new player in the cybercrime arena, having emerged around mid-2023. Despite its recent inception, INC Ransom has been actively targeting a broad spectrum of victims, including those in healthcare, education, and the charity sectors. This group has demonstrated a strategic approach in their operations, often selecting targets with substantial financial resources and sensitive data​ (Enterprise Technology News and Analysis)​.

Security Response and Ongoing Risk: In response to the attack, NHS Dumfries and Galloway has been collaborating closely with law enforcement, including Police Scotland, and cybersecurity agencies such as the National Cyber Security Centre. They are working to mitigate further risks and address the vulnerabilities exploited during the attack. It has been suggested that the initial access may have been gained through spear-phishing or by exploiting vulnerabilities, including CVE-2023-3519 in Citrix NetScaler, a notable security flaw that has been exploited in other incidents as well​ (FutureScot)​.

Impact and Precedents: This attack is part of a troubling trend of increasing cyber attacks on healthcare institutions, a sector particularly vulnerable due to the critical nature of its services and the extensive personal and medical data held. INC Ransom’s actions underscore the persistent threat landscape where healthcare data is a prime target for cybercriminals, leveraging the urgent need for medical services to pressure victims into meeting ransom demands​ (Enterprise Technology News and Analysis)​.

Further Reading: