Exclusive: The Impact of the HCRG Care Group Data Breach on Patients and Employees

Marco A. De Felice aka amvinfe
Exclusive: The Impact of the HCRG Care Group Data Breach on Patients and Employees 1

The Medusa ransomware group delivered a severe blow to the UK’s healthcare system, exfiltrating a massive amount of data from the servers of HCRG Care Group (HCRG) in recent weeks.

HCRG is a UK-based private provider of community healthcare and social services, headquartered in Runcorn, UK. The company employs over 5,000 people and is commissioned by the National Health Service (NHS) and local authorities in England. Founded in 2007 as Assura Medical, it was acquired by the Virgin Group in 2010 and rebranded as Virgin Care. In December 2021, it came under the control of Twenty20 Capital and adopted its current name, HCRG Care Group.

The company offers a broad range of healthcare and support services, including community care for adults and children, primary care, urgent care, and sexual health services. It collaborates with local hospitals, community services, mental health organizations, social care entities, and charitable organizations to improve and integrate services based on community needs.

Medusa-affiliated hackers successfully infiltrated HCRG’s computer systems, stealing 2.275 TB of sensitive documents, including Protected Health Information (PHI) and Personally Identifiable Information (PII) of both patients and employees. The group claimed responsibility for the attack on February 18, posting a statement on their .onion blog within the Tor network, setting a deadline of February 28 for a $2 million ransom payment. If the payment was not made, Medusa threatened to release or sell the stolen data.

SuspectFile.com has gained exclusive access to a series of sensitive documents not yet published by the criminal group, along with a file tree containing 3,570,110 entries of various documents, including:

Patient Identifying Data:

  • Full name
  • Date of birth
  • Certificate of Birth
  • Full residential address
  • Email addresses
  • Phone numbers (landline and mobile)
  • Patient ID, Patient Number, and NHS Number
  • Medical records
  • Copies of passports, driving licenses, and identity cards
  • National Insurance Number (NI Number) and associated documents
  • Administrative and financial documents

Among the compromised files, one of the most significant is an Excel document titled:
“Copy of Final sheet 8367 Staff Lists for Data – Working Copy from MB Final Version.xlsx”

Within the “FullTimeEquivalent” sheet, SuspectFile identified sensitive information related to 2,320 current and former employees of HCRG’s various Business Units, including:

  • Wiltshire
  • Primary Care
  • North Kent
  • Specialist Services
  • Corporate
  • BaNES
  • Essex
  • West Lancs
  • Surrey
  • Lancs 0-19

Although the Excel sheet contains data for 2,320 employees, only 772 have complete information. The extracted data includes:

  • Full name
  • Email address
  • Joining Date
  • Reckonable Service Date
  • AF Level
  • Position and Post
  • Contract type (permanent or casual)
  • NHS Occupation Code
  • Business Unit and Service Group affiliation
  • Cost Centre
  • Reporting Manager (name and surname)
  • Line Manager’s email
  • Contractual Hours
  • Pro-Rata Salary
  • FTE Salary (Full-Time Equivalent Salary)
  • Payroll (NHS payroll system, which tracks salary, overtime, and pension contributions)

In addition to the information found in the “FullTimeEquivelant” sheet, another Excel document titled “EEPercent” contains sensitive data related to 4,725 employees of HCRG. The exfiltrated data includes:

  • Full name
  • NI Number (National Insurance Number)
  • ER Percentage (Employer Contribution Percentage) – the percentage of the employer’s contribution for each employee

Continuing with the analysis of the file, in the sheet titled “PTPensionableHRS”, 3,284 confidential records related to HCRG employees were found. Many of the data entries had already been seen in the “EEPercent” sheet.

Among the exfiltrated information in the “PTPensionableHRS” sheet are:

  • Full name
  • NI Number (National Insurance Number)
  • Number of Pensionable Hours (the number of pensionable hours, which contribute to the calculation of the employee’s pension fund)

In another Excel file, titled “Copy of Staff Phone Email List.xlsx”, we gained exclusive access to data concerning 224 employees who were previously employed by Virgin Care, many of whom later transitioned to HCRG Care Group.

The file contains the following sensitive information:

  • Full name
  • Email address (@virgincare.co.uk)
  • Phone numbers
  • Role held within Virgin Care

The analyzed Excel file titled “Copy of updated last yr 11 2024 work now yr 12.xlsx” contains information regarding 3,924 adolescents, specifically about vaccinations that are due or scheduled. The document includes data on individuals born in 2007 and 2008, with the following sensitive details:

  • NHS Number (National Health Service Number)
  • Forename and Surname
  • Date of birth
  • Gender
  • Ethnic Description
  • Email address (in some cases)
  • Home Phone number (in some cases)
  • Mobile number (in some cases)
  • Current School Name
  • School LEA name (Local Education Authority)

In some cases, the file also reports the consent for the administration of vaccines, including:

  • TDP (Tetanus, Diphtheria, and Polio Vaccine)
  • MenACWY (vaccine for meningococcal meningitis, covering serogroups A, C, W, and Y)
  • HPV 1 (first dose of the Human Papillomavirus vaccine)
  • HPV 2 (second dose of the Human Papillomavirus vaccine)
  • MMR 1 (first dose of the vaccine for measles, mumps, and rubella)
  • MMR 2 (second dose of the vaccine for measles, mumps, and rubella)

A new file, titled “Internal AP list.xlsx”, has been exclusively analyzed by SuspectFile.com. It contains sensitive information about 324 elderly patients, including the dates of appointments for specialist visits, their health conditions, and any notes regarding mobility difficulties. The file also includes:

  • Reference date
  • Name of the referring individual
  • Full name of the patient and date of birth
  • Urgency type
  • Appointment location

The reference period starts from 04/06/2020, but the visible data covers a time span from July 2022 to October 2024.

A note in the file reads:

“Once a patient has been discharged and highlighted blue – please right click on the line number to the left and select ‘hide’. The patient will disappear from the list but will be recoverable should we need to review data. Thank you!”

By recovering the “hidden” parts of the file, two additional lists of discharged patients from previous years emerged. The first list contains 267 patients, while the second includes 406 patients, covering the period from June 2021 to December 2022. These data contain the same information visible in the main file, including:

  • Notes on mobility difficulties
  • Dates of appointments for specialist visits
  • Reference date
  • Name of the referring individual
  • Full name of the patient and date of birth
  • Urgency type and appointment location

The total number of patients involved in the sensitive data breach across the three tables is 997.

Among the thousands of files exfiltrated by the Medusa cybercriminal group, we analyzed the document titled “INC0735392 Lancs 0-19 Patient List UP & UPP (active and dormant referrals exported 09-12-2020).csv”. This file contains a total of 15,007 rows of data, corresponding to the same number of patients.

The data in the file includes sensitive information, such as:

  • TITLE (Patient’s title)
  • FIRSTNAME (Patient’s first name)
  • LASTNAME (Patient’s last name)
  • SERVICE_DESC (Description of the medical service or treatment)
  • SERVICE_PART (Part of the service or component of the system providing the treatment)
  • COMMISSIONER_NAME (Name of the entity commissioning the service or the financier)
  • COMMISSIONER_CODE (Identification code of the funding entity)
  • PRACTICE_NAME (Name of the medical practice or facility providing the service)
  • And many more details.

Among the documents stolen by the Medusa group, we analyzed the file “PTMSK (SW) OP Farnham – All Dormant Patients.xlsx”, which contains sensitive data of 134 patients who, over the years, have sought medical care at HCRG facilities in the city of Farnham, Surrey County, England.

The analysis of the file name suggests it may refer to a specific medical service:

  • PTMSK: Likely refers to Physiotherapy & Musculoskeletal (PT & MSK), i.e., a physiotherapy and musculoskeletal treatment service.
  • (SW): Could refer to South West, indicating a specific region.
  • OP: Usually means Outpatient, i.e., ambulatory patients.
  • Farnham: Indicates the location where the service is provided.

Therefore, “PTMSK (SW) OP Farnham” could refer to an outpatient physiotherapy and musculoskeletal treatment service in the south-west region, specifically in the city of Farnham.

The file contains personal and medical information of 134 patients, including:

  • PATIENT_ID (Patient identifier)
  • PATIENT_NUMBER (Patient number)
  • NHS_NUMBER (Patient’s unique NHS identifier)
  • TITLE (Patient’s title)
  • FIRSTNAME (Patient’s first name)
  • LASTNAME (Patient’s last name)
  • PATIENT_STATUS (Patient’s status within the healthcare system)
  • PATIENT_TYPE (Patient type, e.g., outpatient or inpatient)
  • CALLING_NAME (Name used to contact the patient)
  • CURRENT_CASELOAD (Current caseload assigned to the patient)
  • REFERRED_DATE (Referral date for treatment)
  • REGISTERED_GP_PRACTICE_CODE (Unique identifier for the patient’s registered GP practice)
  • SOURCE_OF_REFERRAL_COMM (Referral source, i.e., the entity that directed the patient to the service, such as a GP, hospital, or clinic)
  • SERVICE (Type of medical service received)
  • SERVICE_PART (Part of the service or specific component of the treatment)
  • COMMISSIONER_CODE (Code identifying the entity financing or commissioning the service)

At the beginning of the article, we mentioned that among the many types of exfiltrated data, medical records were also included

  • Full name
  • Date of birth
  • Residential address
  • Phone number
  • Patient’s medical history
  • Medical history (anamnesis)
  • Prescribed medications taken

In an article published on DataBreaches.net on February 20, Dissent questioned the hypothesis that the Medusa group did not encrypt the data after exfiltrating it from the healthcare organization’s servers. This statement references an article by Iain Thomson published on The Register, where the author suggests that Medusa might have only exfiltrated the data without applying any encryption.

We share the doubts expressed by Dissent. Medusa informed SuspectFile.com that many files were encrypted during the attack and, although no proof was provided, its past claims about encryption have proven to be accurate.

The massive volume of documents exfiltrated during the cyberattack, and, more importantly, the large number of individuals whose data was stolen, highlight the severity of the breach suffered by HCRG Care Group.

This incident raises crucial questions about the security of healthcare infrastructures, the protection of sensitive data, and the measures in place to prevent similar attacks in the future. While authorities and the company assess the impact of the breach, the fear remains that highly confidential information could be disseminated or used for illicit purposes.

The attack on HCRG Care Group serves as a warning about the vulnerability of the healthcare sector and the need for more robust cybersecurity strategies, to protect not only the data but also the trust of millions of patients and healthcare professionals.

At the moment, we have not found any statements on the HCRG Care Group website informing patients about the cyberattack and the resulting data theft.

This article will be updated as soon as further details about the case become available.