UK healthcare giant HCRG confirms hack after ransomware gang claims theft of sensitive data

U.K. healthcare giant HCRG Care Group has confirmed it’s investigating a cybersecurity incident after a ransomware gang claimed to have breached the company’s systems to steal troves of sensitive data. 

HCRG Care Group is one of the largest independent providers of community health and care services in the United Kingdom. The organization, previously known as Virgin Care and now owned by Twenty20 Capita, partners with National Health Service trusts and local authorities around the U.K. to deliver healthcare services, including urgent care, sexual health, and adult and child social care services.

HCRG was this week listed on the dark web leak site of the prolific Medusa ransomware group, which claims to have compromised the company to steal more than two terabytes of data. 

Samples of the allegedly stolen data shared by Medusa and seen by TechCrunch appear to include employees’ personal information, sensitive medical records, financial records, and government identification documents, such as passports and birth certificates.

HCRG spokesperson Alison Klabacher told TechCrunch in an emailed statement that the company is “currently investigating an IT security incident” and has “recently identified a post on the dark web by a group claiming responsibility.”

The company declined to say what types of data were accessed but did not dispute Medusa’s claims. HCRG also declined to say how many individuals are affected. According to the company’s website, HCRG has more than 5,000 employees and delivers healthcare services to half a million patients across the United Kingdom.

“Our team has not observed any suspicious activity since the implementation of immediate containment measures, and we are working with external forensic specialists to investigate the incident, the spokesperson said. 

HCRG said it informed the U.K.’s Information Commissioner’s Office and other regulators about the breach.

“Our services are continuing to operate and safely see patients, and those with appointments or who need to access our services should continue to do so,” the company said.

The Medusa ransomware group is threatening to publish the allegedly stolen data unless HCRG pays the gang a ransom demand of $2 million.

HCRG wouldn’t confirm how it was compromised, but Medusa is known to exploit unpatched vulnerabilities in remote desktop software.