Home > Security > Security News

NHS Scotland Domain Breached to Host Adult Content and Illegal Sports Streams, Exposing Infrastructure Vulnerabilities

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
NHS Scotland
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Legacy systems exploited: Cybercriminals breached NHS Scotland domains, targeting vulnerable web infrastructure to redirect traffic to unauthorized external servers.
  • Illicit content hosting: Threat actors aggressively repurposed these compromised healthcare domains for illicit content hosting, serving adult material and illegal sports broadcasts.
  • Impact: The unauthorized domain manipulation involved The New Surgery in Kilmacolm and the Lerwick GP Practice.

Several NHS domains of localized medical practices were compromised. Threat actors successfully hijacked subdomains linked to the National Health Service to push links to adult content and illegal sports streams, recent threat intelligence reveals. 

The attacks compromised legacy web infrastructure tied to The New Surgery in Kilmacolm, as well as the active domain of the Lerwick GP Practice, as per Public Services Delivery Scotland CISO Scott Barnett. 

Investigating the Compromised Healthcare Domains

Former cybersecurity engineer Nick Hatter identified multiple instances of unauthorized access affecting regional medical facilities that were recently indexed by Google, some dating back as far as January. 

The NHS breach involved the “nhs.uk” and “scot.nhs.uk” closed domains. Visitors navigating to these addresses encountered adult entertainment and illegal streaming services rather than legitimate medical information.

NHS Greater Glasgow and Clyde, alongside the Public Services Delivery Scotland Cyber Center of Excellence, rapidly initiated containment protocols. External-facing web properties suffered defacement and redirection, but core patient databases and national clinical systems remain completely secure, a spokesperson for NHSGGC has told The Register.

Unknown Tactic

Hatter assessed that the NHS Scotland hijacking likely stemmed from a DNS attack or a compromised WordPress setup, rather than a direct breach of top-level NHS routing infrastructure.

The ‘scot.nhs.uk’ subdomains are managed by NHS Scotland, so somehow someone has managed to set up a subdomain of ‘scot.nhs.uk,’ which should be under NHS Scotland's control,” he added.

In February 2026, the malicious Outlook Add-in AgreeToSteal compromised 4,000 accounts via subdomain takeover.

Add a Comment
Related
Hackers Hired to Target Android, iCloud of Egyptian, Lebanese Journalists and Activists
Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
WireGuard VPN Developer Faces Update Block Due to Microsoft Account Lock
SaaS Notification Pipeline Abuse, GitHub Phishing Campaigns, and Jira Notification Hijacking Increased, Cisco Talos Warns 
Rostelecom DDoS Attack Triggers Major Russian Network Outage Impacting Banks, Government Portal, Games
Northern Ireland Schools Cyberattack Disrupts Access to Educational Systems
Most Popular
Hackers Hired to Target Android, iCloud of Egyptian, Lebanese Journalists and Activists
Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
WireGuard VPN Developer Faces Update Block Due to Microsoft Account Lock
SaaS Notification Pipeline Abuse, GitHub Phishing Campaigns, and Jira Notification Hijacking Increased, Cisco Talos Warns 
Rostelecom DDoS Attack Triggers Major Russian Network Outage Impacting Banks, Government Portal, Games
Northern Ireland Schools Cyberattack Disrupts Access to Educational Systems
Hackers Hired to Target Android, iCloud of Egyptian, Lebanese Journalists and Activists
Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
WireGuard VPN Developer Faces Update Block Due to Microsoft Account Lock
SaaS Notification Pipeline Abuse, GitHub Phishing Campaigns, and Jira Notification Hijacking Increased, Cisco Talos Warns 
Rostelecom DDoS Attack Triggers Major Russian Network Outage Impacting Banks, Government Portal, Games
Northern Ireland Schools Cyberattack Disrupts Access to Educational Systems

Most Popular
Hackers Hired to Target Android, iCloud of Egyptian, Lebanese Journalists and Activists
Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
WireGuard VPN Developer Faces Update Block Due to Microsoft Account Lock
SaaS Notification Pipeline Abuse, GitHub Phishing Campaigns, and Jira Notification Hijacking Increased, Cisco Talos Warns 
Rostelecom DDoS Attack Triggers Major Russian Network Outage Impacting Banks, Government Portal, Games
Northern Ireland Schools Cyberattack Disrupts Access to Educational Systems
Hackers Hired to Target Android, iCloud of Egyptian, Lebanese Journalists and Activists
Eurail Data Breach Exposes 300,000 Passports, Impacts DiscoverEU Program
WireGuard VPN Developer Faces Update Block Due to Microsoft Account Lock
SaaS Notification Pipeline Abuse, GitHub Phishing Campaigns, and Jira Notification Hijacking Increased, Cisco Talos Warns 
Rostelecom DDoS Attack Triggers Major Russian Network Outage Impacting Banks, Government Portal, Games
Northern Ireland Schools Cyberattack Disrupts Access to Educational Systems

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: