Sensitive records office data accessed in cyber attack on health board

NHS Dumfries and Galloway was targeted in March.

National Records of Scotland data was among material accessed in the cyber attack on NHS Dumfries and Galloway
National Records of Scotland data was among material accessed in the cyber attack on NHS Dumfries and Galloway (Peter Byrne/PA)

Sensitive data from Scotland’s national records office was among material accessed and published in a recent cyber attack on NHS computers, it has emerged.

Data from the National Records of Scotland (NRS), the body responsible for collecting and holding records and statistics in Scotland, was being held on the NHS Dumfries and Galloway IT network when it was targeted by a cyber attack in March 2024.

NRS said this included sensitive information about a small number of people that was being temporarily held on the network, and information from statutory births, deaths and marriages registers.

The NRS said it holds information on NHS IT networks as part of an administrative service to the NHS, to allow the transfer of patient records when people move between health board areas, across borders within the UK, or move overseas.

NRS chief executive Janet Egdell said: “We are aware that this will be distressing news for those individuals most directly affected.

“This is a live criminal investigation and we are working closely with NHS Dumfries and Galloway, Police Scotland, Scottish Government and other agencies involved in the inquiry.

“NRS takes cybersecurity and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”

NRS said it is writing to people who could be placed at risk of harm as a result of the information taken about them, which it said amounts to fewer than 50 individuals.

The NRS has opened a mailbox for inquiries from members of the public at

Members of the public are also encouraged to be on their guard for any unusual activity which might relate to this incident, including contact from anyone claiming to have their data. These incidents should be reported to Police Scotland by phoning 101.

Police said members of the public should not attempt to access or share any leaked data as they may be committing an offence under the Data Protection Act.