Cyber Incident Victim: Hammersmith Medicines Research
Date:
Mar 2020
Location:
United Kingdom
Summary
A UK medical research organization preparing for COVID-19 vaccine trials suffered a ransomware attack by the Maze group, which encrypted files and exfiltrated sensitive patient data including medical questionnaires, passports, and national insurance numbers. After the victim refused payment, the attackers publicly leaked a sample of records belonging to over 2,300 former patients, contradicting their prior public pledge to avoid targeting healthcare entities during the pandemic. The organization restored systems without downtime but faced regulatory scrutiny over the exposure of highly sensitive information. Cybersecurity firms offered free assistance to healthcare providers combating ransomware during the crisis, while law enforcement agencies engaged to assess the incident's impact. The attackers later removed the leaked data following media coverage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 14, 2020, Hammersmith Medicines Research (HMR), a UK-based medical research organization involved in early clinical trials for vaccines and treatments including Ebola and Alzheimer’s, experienced a severe cyberattack by the Maze ransomware group. IT staff detected the attack in progress and successfully halted it, restoring computer systems and email functionality by the end of the same day. The company reported no operational downtime following the incident. Maze claimed responsibility for the ransomware attack on its website, aligning with its established pattern of encrypting victim files and demanding payment for decryption. After HMR refused to negotiate, the group escalated its tactics on March 21 by publishing sensitive medical and personal data belonging to over 2,300 former patients. The leaked records, sampled from individuals with surnames starting with G, I, and J, included historical medical questionnaires, passport copies, driver’s licenses, and national insurance numbers, some dating back 8-20 years. At least one valid passport was among the exposed documents.
HMR’s clinical director, Malcolm Boyce, confirmed the hackers provided these files as proof of network access alongside their ransom demand but stated the company would not pay under any circumstances. The attack occurred despite Maze’s public pledge on March 18—two days after breaching HMR—to avoid targeting medical organizations during the COVID-19 pandemic. Security experts highlighted the inconsistency between the group’s statements and actions, emphasizing the unreliability of such assurances. Maze employed its characteristic double-extortion strategy, combining data encryption with threats to leak stolen information, and historically used exploit kits targeting software vulnerabilities or phishing emails to compromise networks. Following media coverage by Computer Weekly on March 22, Maze removed the published patient data from its site. The UK National Crime Agency and Information Commissioner’s Office acknowledged the incident, with the latter underscoring the legal obligations surrounding medical data protection. Cybersecurity firms Emsisoft and Coveware concurrently offered free ransomware assistance to healthcare providers during the pandemic, including decryption support and negotiation services.