GP staff and healthcare records compromised in ransomware attack
Half-a-million patient records at risk unless HCRG pays up
The company, previously owned by Richard Branson’s Virgin Care but now in the hands of private equity firm Twenty20 Capital, admitted the breach after it was listed on the dark web site of ransomware gang Medusa, which claims to have accessed and downloaded more than two terabytes of data.
The group has published 35 pages of stolen data to prove it has the information.
Compromised data includes employees’ personal information, sensitive medical records, financial records and ID documents, such as passports and birth certificates, according to TechCrunch, HCRG says it is “currently investigating” the incident, but declined to go into details.
HCRG also runs sexual and prison healthcare services across the country. A release of all the data could therefore be expensively embarrassing for the company.
The company has more than 5,000 staff and around 500,000 patients enrolled at GP services it runs. A spokesperson said it had “not observed any suspicious activity” since implementing containment measures, and that it has informed the Information Commissioner’s Office and other relevant regulators about the breach.
Details of how the healthcare organisation was compromised have not been released, but the US Cybersecurity & Infrastructure Security Agency (CISA) indicated that the gang typically take advantage of Remote Desktop Protocol (RDP) vulnerabilities to gain access.
The news comes just one month after HCRG was awarded a seven-year contract in Trowbridge, Wiltshire worth £144 million per year – more than £1 billion in total.
Healthcare workers subject to transfer to the company claim that there had been a lack of transparency over the process. The company filed revenues of £250 million in the year to the end of March 2023.
Ransomware remains a big business for cyber criminals, and public services such as schools and hospitals are considered fair game for most gangs.
A surge in ransomware attacks was observed in July last year after the return of LockBit, just months after the ransomware gang had supposedly been taken down. That take down, which yielded more than 2,500 working decryption keys, led to the naming of the gang leader, Dmitry Khoroshev, in May. However, safely ensconced in Russia, authorities around the world can only levy sanctions against him.