Extortion Attack on NHS Dumfries and Galloway Exposed Children’s Health Records
NHS Dumfries and Galloway disclosed a cyberattack that raised the risk of patient data exposure, and weeks later stolen records linked to the incident were published online as part of an extortion campaign. Reporting indicated that highly sensitive files involving children’s health information were among the leaked material, escalating the impact from service disruption to a serious confidentiality breach affecting vulnerable patients.
The incident fits a broader pattern of ransomware and extortion operations targeting healthcare providers, where attackers disrupt clinical systems and use stolen data to pressure victims. Similar attacks previously hit New Zealand’s Waikato District Health Board, where a ransomware intrusion crippled hospital IT, forced lengthy restoration from backups across hundreds of servers and thousands of workstations, and underscored that healthcare organizations remain high-value targets because outages and data theft can directly affect patient care.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Stolen children's health records from NHS Dumfries and Galloway posted online
By early May, stolen children's health records linked to the NHS Dumfries and Galloway incident were posted online as part of an extortion attempt, showing the attack had escalated to public data exposure.
NHS Dumfries and Galloway discloses cyberattack with patient data at risk
NHS Dumfries and Galloway in Scotland disclosed a cyberattack and warned that patient data could be at risk, bringing the incident into public view.
Waikato DHB restores over half of affected servers
Waikato DHB said more than half of the servers impacted by the ransomware attack had been restored over the previous four days. The organization said it would not pay the ransom and expected radiology and laboratory services to return the following week.
Waikato DHB attack described as New Zealand's biggest cyberattack
Reporting a week later characterized the Waikato DHB incident as the biggest cyberattack in New Zealand history, marking a public escalation in understanding of the scale and severity of the breach.
Waikato DHB hit by ransomware attack disrupting hospital systems
Waikato District Health Board in New Zealand suffered a ransomware attack that crippled parts of its health IT environment, affecting several hundred servers, major network sites, and thousands of workstations across hospital services.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Stolen children’s health records posted online in extortion bid | The Record from Recorded Future News
therecord.media
Open sourceNHS Dumfries and Galloway Faces Cyberattack, Patient Data at Risk
hackread.com
Open sourceWaikato DHB ransomware attack: Half of servers restored in past four days | RNZ News
web.archive.org
Open sourceWaikato DHB cyber attack 'biggest in New Zealand history' - NZ Herald
web.archive.org
Open sourceCyber attack similar to HSE breach cripples New Zealand district’s health system - Independent.ie
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
XP95 Data-Theft Attack on Healthdaq Exposes Sensitive Healthcare Recruitment Records
Healthdaq, a Dublin-based recruitment platform used by Northern Ireland health trusts and other public health bodies, disclosed unauthorized access to its systems after attackers linked to the **XP95** extortion group claimed to have stolen nearly half a million files. Reported exposed data includes names, contact details, CVs, qualifications, passport copies, other government-issued identification, criminal background checks, vaccine records, forms, and in some cases health information. Healthdaq said it detected the breach on 30 March, contained the incident, and notified regulators and law enforcement, including the Garda National Cyber Crime Bureau, while the UK Information Commissioner's Office said it is assessing the company’s report. The incident prompted heightened alerts across Northern Ireland health trusts because of the volume and sensitivity of the compromised records and the risk of identity theft, fraud, and misuse of personal information. Reporting indicates Healthdaq received a ransom demand, and threat intelligence describes XP95 as a newly observed actor using a **pure data theft and extortion** model rather than file-encrypting ransomware; its first publicly identified victim was Eholo Health, a Spanish mental health SaaS provider serving psychologists in Spain and Andorra. The breach also underscored broader pressure on healthcare technology suppliers after a separate attack on Dutch EPD vendor ChipSoft disrupted hospital services and triggered parliamentary scrutiny over sector dependence on a small number of critical vendors.
May 25, 2026
Conti Ransomware Crippled Ireland’s Health Service and Exposed Stolen Data
Ireland’s Health Service Executive (HSE) was hit by a major **Conti ransomware** attack that forced the shutdown of national health IT systems, disrupted hospital clinics, maternity services, radiology, GP referrals, and parts of Covid-19 testing and contact tracing, while emergency care and the vaccination programme continued. Irish officials said the attack began early on a Friday morning, described it as one of the most serious cybercrime incidents ever faced by the state, and confirmed the government would **not pay** a bitcoin ransom. Investigators also examined related hostile activity, including an attempted intrusion at the Department of Health and earlier distributed denial-of-service activity, while Gardaí, the National Cyber Security Centre, Defence Forces, Europol, and outside cybersecurity experts joined the response. The attackers were reported to have demanded about **$20 million** and claimed to have stolen roughly **700 GB** of data, raising fears that patient and employee information could be leaked on dark-web extortion sites. Recovery was expected to take weeks as the HSE rebuilt systems and shifted many services to manual processes, while the health service sought court injunctions to restrain the sharing of hacked data. The financial fallout later climbed to about **$600 million**, and the long tail of the breach continued years later, with the HSE offering compensation to some victims affected by the system-wide cyberattack.
May 26, 2026