Occasionally, entities in other countries try to take legal action against DataBreaches.net to chill or censor this site’s reporting on their breaches. None of them have prevailed, in part due to the protections we have here under the First Amendment, and in part to the legal defense afforded this site by Covington and Burling. This is another one of those cases.
A letter from Pinsent Masons
As last week drew to a close, DataBreaches was unpleasantly surprised to receive a letter from Pinsent Masons, a UK law firm. Attached to their letter was an injunction from the High Court of Justice, King’s Bench Division. The law firm’s letter stated:
We act for HCRG Care Limited.
We put you on notice, by this letter and enclosure, of an injunction ordered today by the High Court of England & Wales against a person or persons unknown (the “Order”) to prevent the publication and/or disclosure of confidential data stolen during a recent ransomware cyber-attack perpetrated against our client from on or about 26 January 2025 to on or about 12 February 2025 (the “Confidential Information”).
We urge you to read the enclosed Order closely. As you are now on notice of the fact and terms of the injunction, pursuant to paragraph 22 of the Order, it would be a contempt of court for you knowingly to assist or permit a breach of the Order, including by publishing on your website some or all of the Confidential Information stolen during the cyber-attack. Breach of the terms of the Order may result in imprisonment, a criminal fine or having your assets seized.
Accordingly, you should take the necessary steps to ensure that none of the Confidential Information is published or disclosed on your website, and take down the following articles which contain descriptions and screenshots of some of the Confidential Information:
Article of 24 February 2025 entitled ‘UK: More details emerge about ransomware attack on HCRG by Medusa – DataBreaches.Net; and
Article of 26 February 2025 entitled ‘Medusa Unveils Another 50TB of Stolen Data from HCRG Care Group, Giving Greater Insight Into the Scope of the Breach -Data Breaches.Net.
Being disinclined to remove posts that are perfectly lawful under US law and the First Amendment, and somewhat stunned that anyone would try to censor such relatively benign posts, DataBreaches turned to the injunction itself to try to find out what the basis was for the demand to remove the two posts.
The injunction
The injunction, issued by the Media and Communications List part of the King’s Bench Civil List, began with all kinds of dire warnings and threats about the consequences of noncompliance:
PENAL NOTICE
IF YOU THE RESPONDENT DISOBEY THIS ORDER YOU MAY BE HELD TO
BE IN CONTEMPT OF COURT AND MAY BE IMPRISONED OR FINED OR
HAVE YOUR ASSETS SEIZED.
ANY PERSON WHO KNOWS OF THIS ORDER AND DISOBEYS THIS ORDER
OR DOES ANYTHING WHICH HELPS OR PERMITS ANY PERSON TO
WHOM THIS ORDER APPLIES TO BREACH THE TERMS OF THIS ORDER
MAY BE HELD TO BE IN CONTEMPT OF COURT
Confusingly, the injunction did not name DataBreaches.net at all. It didn’t name anyone. It just used terms like “defendant,” “claimant,” “respondent,” and “others notified of the order.” So who was DataBreaches.net in this schema? Was it “the respondent” mentioned in the first paragraph or was it just “any person who knows of this order?” Why didn’t the injunction at least state what DataBreaches.net’s status was in this whole thing?
As I read more of the injunction, it became clear that a hearing that resulted in the injunction was held “privately” without anyone who might be affected by the order being notified so that they could appear to challenge the proposed injunction:
This Order was made at a hearing without notice to those affected by it, the Court having considered CPR 25.3(1) and section 12(2) of the HRA and being satisfied that there are compelling reasons for notice not being given, namely: the Defendant’s (or each of them) identity is unknown and s/he/it is blackmailing the Claimant. The Defendant or each of them (and anyone served with or notified of this Order) has a right to apply to the Court to vary or discharge the Order (or so much of it as affects them): see paragraph 18 below.
The court did not offer any reason at all — much less a compelling one — not to notify journalists whose work it would be censoring. Nor did it provide any justification at all for censoring media coverage of HCRG’s ransomware attack even though there is nothing unusual about the incident or the reporting on it to date. If there was any civil law violated that would justify censorship, the injunction failed to state it.
What was the Honorable Mr. Justice Soole thinking when he issued the injunction without giving affected non-defendants a chance to be heard? Did the court have anyone present to be an advocate for non-defendants who might be affected? Did he give any serious thought at all to how the public might be harmed if he prevented the media from reporting details on cybercrimes that might inform the public and help victims take steps to protect themselves from possible consequences of crimes?
According to the injunction, those affected or those who would want to dispute the terms of the injunction or seek its discharge can apply to the Court to vacate the order if they jump through some hoops and follow the instructions in Paragraph 18 of the injunction.
DataBreaches was never particularly adept at jumping through hoops. But truth be told, DataBreaches was getting more confused by the minute.
If the injunction itself didn’t name DataBreaches.net and if it didn’t mention the two posts either by URL or even by description, then how could DataBreaches be sure that the court intended to order this site to remove those two posts and not just one of them, or neither of them? Shouldn’t a court order be quite specific as to whom it applies and what they are required – exactly – to do or not do? There was no such specificity in this injunction.
Jurisdiction
But then there was Paragraph 21 of the injunction, and it was a game-changer (emphasis added by DataBreaches):
- Except as provided in paragraph (2) below, the terms of this Order do not affect or concern anyone outside the jurisdiction of this Court.
- The terms of this Order will affect the following persons in a country or state or international waters outside the jurisdiction of this Court –
(a) the Defendant or his/her officer or agent appointed by power of attorney;
(b) any person who –
(i) is subject to the jurisdiction of this Court;
(ii) has been given written notice of this Order at his/her residence or place of business within the jurisdiction of this Court; and
(iii) is able to prevent acts or omissions outside the jurisdiction of this Court which constitute or assist in a breach of the terms of this Order; and
(c) any other person, only to the extent that this Order is declared enforceable by or is enforced by a court in that country or state.
On Monday, Jason Criss of Covington and Burling emailed Pinsent Masons:
Databreaches.net is not a defendant in the proceedings in which your client obtained the Order. Moreover, it is a United States entity with no presence or other connection to the United Kingdom, and your letter was addressed to Databreaches.net’s United States email addresses. Databreaches.net is not subject to the jurisdiction of the High Court of Justice or any other court in the United Kingdom, and, by the plain terms of Order Paragraph 21, the Order does not apply to it. Accordingly, Databreaches.net will not be taking any action (or refraining from taking any action) addressed in the Order.
That should have been the end of everything, but it wasn’t.
The injunction is a threat to journalists and would leave the public in the dark
It is common practice for journalists reporting on cybercrime and the ransomware ecosystem to routinely investigate and report on claims and data posted by cybercriminals on their dark web leak sites. And when criminals leak entire data dumps, it is also common practice for some journalists who report on ransomware incidents to examine the data tranches or parts of them and to describe their observations or findings. In some cases, journalists may include some screenshots to support their reporting. The screenshots are usually redacted so as not to expose any individual’s personal or sensitive information. But it has been, and is, fairly common practice to incorporate descriptions of, and/or screenshots of, stolen data. Ever since ransomware gangs started using dark web leak sites where they post data, the public has seen such descriptions and redacted screenshots in news sites online, on news broadcasts, and in print news outlets.
When it comes to ransomware attacks on the healthcare sector, there has been significant public interest because the ransom demands are frequently significant. Because HCRG Care Group is one of the UK’s largest community services providers, it is not surprising that there would be public interest in the breach and its scope. And because the threat actor is the well-known ransomware group known as Medusa, which routinely encrypts its victims’ files, leaks some files as proof of claims on its dark web leak site, and then dumps its victims’ data on its website and Telegram channel if the victim doesn’t pay their demands, it appeared that HCRG Care may have had a significant breach.
In this case, the SuspectFile blog was able to obtain a larger sample of the exfiltrated data than had been posted on the Medusa gang’s dark web leak site. After reviewing data and redacting it to protect individuals, SuspectFile wrote solid posts describing the data and his findings. In one of its posts, there were several redacted screenshots with employee data and some with redacted patient data. In a subsequent post, SuspectFile reported on an additional 50 TB of data that Medusa made available to the journalist for reporting purposes. When asked to comment on the findings reported by SuspectFile, HCRG did not reply. With no updates from HCRG about the scope of the breach and who was affected, the only detailed reporting on the breach at that point was by SuspectFile, whose reports made clear that both employee and patient data had been accessed and acquired.
But the court’s injunction would prevent the public from finding out that the breach was a serious one with likely many people affected. Indeed, as interpreted by Pinsent Masons, the court’s injunction could open the door to widespread censorship of journalists in the UK or elsewhere. Journalists with any connection to the UK might be emailed injunctions demanding they remove past reporting on data stolen from UK entities, or they could be prohibited from any future reporting on any data stolen from a UK entity. They could even be prohibited from simply describing stolen data. Independent journalists in other countries could also be intimidated into removing their reporting if they could not afford to fight the injunction in court and were afraid of serious consequences even if they were not under UK jurisdiction.
While the injunction could have a chilling effect on the press, it may also be an exercise in futility. What will happen when the Medusa gang leaks the data they exfiltrated from HCRG (assuming for now that it will be leaked)? Will HCRG seek injunctions against every news site in the UK if their reporting uses screenshots or describes the data tranche? And what will HCRG do about all the non-journalists who may download the data leak and who may just post it in unredacted form on hacking forums or social media?
Attempting to censor journalists who are reporting responsibly is going to be ineffective and will only increase the risk of inaccurate reporting being indexed before accurate reporting. But the main issue is that while the HCRG injunction may make it harder for UK news outlets to report on the HCRG ransomware attack, it will not keep UK residents from reading reports from non-UK outlets. So what will HCRG have accomplished other than to appear to be trying to chill reporting on their breach?
Pinsent Mason’s response, or lack thereof
When Jason Criss of Covington and Burling sent an email to Pinsent Masons informing them that DataBreaches.net is a US entity with no connection to the UK. and that neither the UK nor the High Court of Justice has any jurisdiction over this site, that should have been the end of the matter, right? But it wasn’t, and that’s partly why DataBreaches is reporting on this.
Yesterday morning, DataBreaches.net received an email from its domain registrar that it had been served with the injunction by Pinsent Masons, and that if DataBreaches did not remove the two posts in question within 24 hours, this website site would be suspended.
The two posts were not even particularly exciting. They mainly summarized some of SuspectFile’s great reporting and linked to those posts. For those who would like to see what HCRG or the court demanded I remove, the posts can be seen at:
- UK: More details emerge about ransomware attack on HCRG by Medusa and
- Medusa Unveils Another 50TB of Stolen Data from HCRG Care Group, Giving Greater Insight Into the Scope of the Breach
DataBreaches informed the registrar that the injunction was not valid and that DataBreaches.net is not under the jurisdiction of the High Court of Justice or of the United Kingdom. Jason Criss of Covington and Burling also notified the registrar that not only was DataBreaches.net a US entity, but as the site’s domain registrar for many years, they could see for themselves that the site was registered to a US person at a US postal address with a US telephone number.
Later yesterday, the registrar responded:
Since your lawyer has already sent notice to the complainant, Pinsent and Masons ,we confirm that we will not be taking any action on your domain, databreaches.net.
Additionally, we will be informing Pinsent and Masons to contact your lawyer directly should they have any further issues.
This ticket will now be closed.
Pinsent Masons did not respond to Monday’s email notification by Jason Criss that this site was not under UK or High Court jurisdiction. And at no time yesterday did Pinsent Masons contact the domain registrar to say that it was withdrawing the demand for the removal of the posts. That, too, was surprising.
Is it over? Or will there be more? DataBreaches hopes it is over.
Great thanks to Jason Criss and Covington & Burling, as always, for their defense of this site and their defense of press freedom. Covington and Burling has a pro media freedom initiative and has been recognized by the RCFP for its Freedom of the Press Pro Bono Service.