In a recent report in The Register about an attack by Medusa on HCRG in the U.K., Iain Thomson reported, “For now, then, HCRG is still operational – a stark contrast to what happened in Texas last year, when the University Medical Center in Lubbock was forced to severely limit operations and turn away ambulances following a ransomware attack. In HCRG’s case, it appears Medusa has skipped over encryption, opting instead to steal data and hold it for ransom.”
On Saturday, SuspectFile published exclusive data on the attack that they obtained from Medusa. The post contains a wealth of data on both employees and patients. De Felice writes that patient data included:
- Full name
- Date of birth
- Certificate of Birth
- Full residential address
- Email addresses
- Phone numbers (landline and mobile)
- Patient ID, Patient Number, and NHS Number
- Medical records
- Copies of passports, driving licenses, and identity cards
- National Insurance Number (NI Number) and associated documents
- Administrative and financial documents
At another point, SuspectFile notes that data from patients in Coventry included:
- Full name
- Date of birth
- Residential address
- Phone number
- Patient’s medical history
- Medical history (anamnesis)
- Prescribed medications taken
HCRG has yet to disclose much about the breach, claiming that it is still under investigation.
SuspectFile’s reporting makes it clear that this is a significant breach of private and sensitive information of both employees and patients. DataBreaches emailed HCRG to ask if they had any comment on all of the employee and patient data that SuspectFile reported, but there has been no reply as of publication.
Encryption?
In linking to the report on The Register, DataBreaches had commented, “If the claims and reporting are accurate, then Medusa has broken with its usual practice of encrypting and extorting victims as they reportedly did not lock HCRG’s systems or files.
SuspectFile’s report addresses the encryption question:
We share the doubts expressed by Dissent. Medusa informed SuspectFile.com that many files were encrypted during the attack and, although no proof was provided, its past claims about encryption have proven to be accurate.
It may be that whatever was locked has not affected patient care or operations at this point, but it sounds like some files or systems were locked. If so, we hope HCRG has usable backups.