HCRG Care Group confirmed it’s investigating a ransomware attack after the Medusa gang claimed to have stolen over two terabytes of sensitive data—including patient records, employee details, and financial documents.
The hackers are demanding a $2 million ransom, threatening to leak the data if unpaid. Despite the breach, HCRG says services for its 500,000+ patients remain operational. Authorities, including the Information Commissioner’s Office, have been notified.
HCRG Care Group confirmed it is investigating a cybersecurity incident after the Medusa ransomware group claimed responsibility for infiltrating the company’s systems. According to Medusa, more than two terabytes of sensitive data were stolen, an amount equivalent to hundreds of millions of text pages.
Samples of the alleged data, reportedly shared on Medusa’s dark web site and reviewed by american media TechCrunch, appear to include personal information of employees, sensitive patient medical records, financial documents, and government-issued identification such as passports and birth certificates. While HCRG has not verified the nature of the stolen data, it has not refuted Medusa’s claims either.
Formerly known as Virgin Care, HCRG Care Group operates under the ownership of investment firm Twenty20 Capital. The organization plays a pivotal role in the U.K. healthcare system, partnering with National Health Service (NHS) trusts and local authorities to provide services ranging from urgent care to sexual health and social care for adults and children. With over 5,000 employees and a patient base exceeding 500,000 across the U.K., the scope of this breach could be profound.
Cyberattacks on healthcare providers are not just about data theft—they are matters of life and death. Stolen patient records can lead to identity theft, insurance fraud, and even blackmail. “Healthcare data is among the most valuable on the black market,” said Dr. Elena Hughes, a cybersecurity expert at the University of Cambridge. “Unlike a credit card that can be changed, your medical history is permanent.”
A 2024 report by CyberSafe UK found that 43% of U.K. healthcare organizations experienced a cybersecurity incident in the past year, highlighting the sector’s vulnerability. With Medusa demanding a ransom of $2 million, experts warn that paying may not guarantee data safety. “Paying ransoms can fuel further attacks,” Dr. Hughes added.
How Did This Happen?
HCRG has not disclosed how its systems were breached, but Medusa is known to exploit unpatched vulnerabilities in remote desktop software—a common point of entry in similar attacks. Cybersecurity firm RedShield Security warns that failure to update software and train staff on phishing tactics are the leading causes of such breaches.
Alison Klabacher, an HCRG spokesperson, stated, “Our team has not observed any suspicious activity since implementing immediate containment measures. We are working closely with external forensic specialists to investigate the incident thoroughly.” HCRG has also notified the U.K.’s Information Commissioner’s Office (ICO) and other regulators.
Despite the breach, HCRG assures patients that services remain operational. “Our services are continuing to operate safely, and patients should attend their appointments as usual,” Klabacher said. However, the reassurance has not quelled public concern. “I trust the NHS, but this makes me wonder how safe my records really are,” said Sarah Coleman, a patient in Manchester.
Ransomware attacks against healthcare providers are part of a disturbing global trend. According to a 2024 study by CyberWatch International, healthcare was the second most targeted sector for cyberattacks worldwide, trailing only behind the financial industry. Attacks often surge during times of crisis, exploiting healthcare systems already stretched thin.
Governments and organizations are responding with increased funding for cybersecurity defenses, but experts like Dr. Hughes believe more must be done. “It’s not just about technology; it’s about people and processes. We need comprehensive cybersecurity education at every level of these organizations,” she emphasized.
As investigations continue, the priority remains protecting patient data and preventing further breaches. The ICO has the authority to impose significant fines if HCRG is found to have failed in its data protection duties. Meanwhile, Medusa’s threat to publish the stolen data if the ransom is not paid looms over HCRG.
For now, patients are advised to stay vigilant for signs of identity theft and remain in contact with their healthcare providers for updates.
