Several NHS staff in Scotland have had their mobile phone numbers exposed following a cybersecurity incident involving a third-party supplier. The breach, which affected staff across multiple health boards, was confirmed by NHS Grampian and NHS Dumfries and Galloway, both of which have issued alerts to their employees.
NHS National Services Scotland acknowledged the incident, emphasizing that while some workforce data was compromised, there was no risk to patient information. Scott Barnett, Head of Information and Cyber Security, stated that the incident did not directly target any NHS Scotland board, but did result in the exposure of some staff mobile numbers. Impacted staff are being notified and will receive guidance from their respective health boards.
NHS Grampian revealed that the breach occurred with a supplier responsible for the software used for staff scheduling and management. It is believed that all text messages sent through the system over the past three months were compromised, potentially allowing unknown individuals to obtain the mobile numbers of staff. These messages contained only generic information, such as shift confirmations, and did not include any personal or sensitive data.
NHS Dumfries and Galloway, which experienced a severe cyber attack earlier in the year, also informed staff who may have been affected but declined to provide further details. Workers across the affected health boards have been advised to remain vigilant for any suspicious calls or texts from unknown numbers.
The Scottish government has been informed of the breach and has notified the Information Commissioner. A government spokesperson confirmed that the breach involved the mobile numbers of staff registered on the bank staff rostering system used by seven health boards. However, the spokesperson reassured that no NHS systems or personally identifiable information had been compromised and that all services are continuing as normal.
