After publishing our first article on February 23, we are now releasing this second piece with new and exclusive details about the cyberattack that recently targeted HCRG Care Group, a private provider of healthcare and social services based in Runcorn, United Kingdom. The incident has proven to be far more severe than initially suggested by the amount of data claimed by the Medusa group on its .onion blog.
On February 18, the cybercriminal group published a set of 35 images as a proof file. We initially believed these were part of the 2.275 TB that Medusa had declared as the total amount of data exfiltrated from HCRG’s servers. However, the reality is quite different, as is the context in which the data theft occurred. Medusa has informed us that the exfiltration also involved two HCRG subdomains:
- assuramedical.local
- VCL.local
Who is Assura Medical, and what does the acronym VCL stand for?
Assura Medical was a division of the British company Assura plc, specializing in the design, construction, investment, and management of primary healthcare facilities in the UK. Founded in 2003 as The Medical Property Investment Fund, the company rebranded as Assura Group in 2006. In 2010, Assura sold its medical division, Assura Medical, to the Virgin Group, which later renamed it Virgin Care. In 2017, Virgin Care was acquired by Twenty20 Capital, a private equity firm. Eventually, Virgin Care was rebranded as HCRG Care Group.
The acronym VCL stands for Virgin Care Limited, which was a division of the Virgin Group.
We have once again reached out to Medusa to confirm whether the servers were encrypted, as some blogs and online news outlets have raised doubts following statements made by an HCRG spokesperson to journalist Iain Thomson of The Register, in which it was claimed:
“Our team has not observed any suspicious activity since the implementation of immediate containment measures, and we are working with external forensic specialists to investigate the incident. Our services are continuing to operate and safely see patients, and those with appointments or who need to access our services should continue to do so.”
A statement that confirms the ransomware attack but omits any reference to the actual severity of the incident affecting the entire corporate network.
We asked Medusa for a comment on these statements, and this was their response:
HCRG: really the fukcing liers.
The ransomware group not only reiterated their previous claims—that the data had indeed been encrypted—but also revealed the actual amount of encrypted documents by one of their affiliates: approximately 50 TB, although only 2 TB had been uploaded.
We have uploaded 2TB, encrypted at least 50TB or more
The deadline set by the ransomware group for the $2 million ransom payment expires on February 28. If the payment is not made, Medusa has threatened to release or sell the stolen data.
Meanwhile, the cybercriminals have informed us that, in recent days, HCRG entered the negotiation chat without making any comments.
The British company continues to remain silent, failing to publish a statement on its website to inform patients about the situation. In an article published on DataBreaches.net, journalist Dissent writes:
DataBreaches emailed HCRG to ask if they had any comment on all of the employee and patient data that SuspectFile reported, but there has been no reply as of publication.
With the ransom deadline set for February 28, it remains to be seen whether HCRG Care Group will take any action or continue its silence. So far, the company has not issued any official statements to inform its patients about the breach. Meanwhile, Medusa stands firm on its claims, reiterating that the stolen data has been exfiltrated and encrypted and warning that it will be released or sold if the ransom is not paid. The group has also provided additional evidence, including the domain computers list dump, which further confirms their access to HCRG’s IT infrastructure. As the deadline approaches, questions remain about the true impact of the attack and HCRG’s strategy in handling the crisis. Will the company finally acknowledge the full scope of the breach and communicate transparently with those affected? Or will Medusa follow through on its threats, exposing sensitive data to the public or potential buyers? For now, HCRG remains silent, but Medusa is making sure the world is listening.