National Records of Scotland

Preserving the past, Recording the present, Informing the future

NRS data in NHS Dumfries and Galloway criminal attack

NRS data in NHS Dumfries and Galloway criminal attack

Wednesday, 22 May 2024
General Register House

National Records of Scotland (NRS) data was accessed and published as part of the criminal cyber-attack on NHS Dumfries and Galloway.

NRS holds information on the NHS Dumfries and Galloway IT network as it runs an administrative service for the NHS to allow the transfer of patient records when people move between health board areas, across borders within the UK or move overseas.

NRS has been assessing the stolen information through a prioritised risk assessment process and has identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack.

NRS is already engaging with the affected individuals and has also informed the Information Commissioner.

Some information which comes from the statutory births, deaths and marriages registers was also accessed. This information is used to correctly identify patients and maintain the accuracy of the service.

NRS has a statutory obligation to make information from these registers available. This is available to the public on request from NRS, for a fee.

NRS Chief Executive Janet Egdell said:

“We are aware that this will be distressing news for those individuals most directly affected. This is a live criminal investigation, and we are working closely with NHS Dumfries and Galloway, Police Scotland, Scottish Government and other agencies involved in the inquiry.

“NRS takes cyber security and privacy seriously. This includes ensuring the continued safe provision of the service we provide.”

The cyber-attack caused some initial disruption to the operation of the service but with the support of staff and partners it has been fully operational since shortly after the attack took place.

NRS has opened a mailbox for enquiries from members of the public at [email protected].

Members of the public are also encouraged to be on their guard for any unusual activity which might relate to this incident. This includes contact from anyone claiming to have their data. These incidents should be reported to Police Scotland by phoning 101.

Police Scotland has advised that members of the public should not attempt to access or share any leaked data as they may be committing an offence under the Data Protection Act.


  • NRS maintains a database of NHS patients by using its registration data and information from health boards. This database is kept separately from the NHS Dumfries and Galloway network and was not accessed in the attack.
  • Fewer than 50 people are being written to because the information taken about them is considered to have the potential to put them at risk of harm.
  • A large volume of files was accessed and it has taken time for NRS working with partner agencies to identify and review what was taken.
  • At NRS we take privacy seriously and we take action to secure the privacy of individuals. However, we have a statutory obligation to make registration information available.
  • The Registration of Births, Deaths and Marriages (Scotland) Act 1965 (the 1965 Act) and the Marriage (Scotland) Act 1977 require the birth of every child born in Scotland, the marriage of every couple solemnised in Scotland, and every death which occurred in Scotland to be registered.
  • The NRS team who deliver this NHS service is based in Dumfries.