NHS staff mobile numbers revealed in data breach

Getty Images Text messagingGetty Images
Text messages sent on the system are understood to have been compromised

Several NHS staff in Scotland have had their mobile phone numbers revealed in a cyber security incident.

It involved a third-party supplier to several health boards. NHS Grampian confirmed that staff phone numbers had been obtained.

NHS Dumfries and Galloway - which was seriously affected by a cyber attack earlier this year - also issued an alert to staff.

NHS National Services Scotland said the "cyber incident" had been tackled promptly and there was no risk to patient data.

Head of information and cyber security Scott Barnett said: "Although the incident did not directly target any NHS Scotland board, some workforce data has unfortunately been compromised, affecting a small number of staff.

“Impacted staff will be notified and will receive appropriate advice and guidance from their respective NHS Scotland boards."

NHS Grampian said the breach had occurred with a supplier involved in the software used for staff scheduling and management.

The health board said it understood that all text messages sent on the system over the past three months had been compromised.

It said mobile numbers may have been obtained by "unknown individuals".

NHS Grampian said the messages only contained generic information like shift confirmations and there was no personal data shared.

NHS Dumfries and Galloway also issued an alert to staff who may have been affected, but declined to comment further.

Workers have been advised to be vigilant for calls or texts from unknown numbers.

'Services unaffected'

The Scottish government said the Information Commissioner had been informed about the issue.

"Ministers are aware of an incident that resulted in the mobile numbers of those staff registered on the bank staff rostering system, used by seven health boards, being accessed," a spokesperson said.

"Individual health boards will contact affected staff.

“No NHS systems or personally identifiable information have been compromised and all services continue to be delivered as normal."