Mobile numbers of NHS staff compromised in cyber incident
- 30 August 2024
- Mobile numbers of several NHS staff in Scotland have been compromised in a cyber security incident
- NHS National Services Scotland said the breach occurred at the sub-contractor of a third-party supplier to several NHS Scotland boards
- NHS Grampian and NHS Dumfries and Galloway are among the health boards affected
Mobile numbers of NHS staff have been compromised in a data breach at a software supplier, which serves seven Scottish health boards.
Scott Barnet, head of information and cyber security at NHS National Services Scotland, told Digital Health News that a sub-contractor of a third-party supplier to several NHS Scotland boards had experienced a “cyber incident”.
“Although the incident did not directly target any NHS Scotland board, some workforce data has unfortunately been compromised affecting a small number of staff.
“Impacted staff will be notified and will receive appropriate advice and guidance from their respective NHS Scotland Boards,” Barnett said.
He added that the situation was “promptly addressed” and patient data had not been compromised.
NHS Grampian and NHS Dumfries and Galloway are among the health boards affected by the incident.
An internal email to staff at NHS Grampian said that all text messages sent on the system over the past three months had been compromised and mobile numbers may have been obtained by “unknown individuals”, adding that the messages only contained generic information such as shift confirmations with no personal data shared.
NHS Dumfries and Galloway also issued an alert to staff who may have been affected by the incident, but declined to comment.
A spokesperson for the Scottish Government told Digital Health News: “Ministers are aware of an incident that resulted in the mobile numbers of those staff registered on the bank staff rostering system, used by seven health boards, being accessed.
“Individual health boards will contact affected staff”.
They added that “no NHS systems or personally identifiable information have been compromised” and that all services continue to be delivered as normal.
The Information Commissioner has been notified of the incident.
NHS Dumfries and Galloway was the target of a cyber attack in March 2024, in which three terabytes of stolen patient data was published on the dark web by a ransomware group.
In June 2024, Dumfries and Galloway warned almost 150,000 patients to assume that their personal data was likely to have been stolen and published online following the incident.
Meanwhile, pathology provider Synnovis is rebuilding its IT systems, following a cyber attack in June 2024, which led to thousands of patient appointments and operations being postponed across south east London.
The King’s Speech on 17 July 2024, outlined prime minister Keir Starmer’s plans to introduce a new Cyber Security and Resilience Bill, which will expand regulation to cover more digital services and supply chains.