Cyber Incident Victim: HCRG Care Group
Date:
Feb 2025
Location:
United Kingdom
Summary
The UK-based healthcare provider HCRG Care Group experienced a ransomware incident involving the Medusa gang, which claimed theft of 2.275 terabytes of sensitive data including passport scans, staff records, and personal identification documents. The attackers demanded $2 million to either delete or withhold the data, with an option to delay leaks for $10,000 daily. The organization confirmed investigating the security event, implemented containment measures, and maintained operational services without observed disruptions. Medusa, known for targeting healthcare entities, previously leaked data from another UK organization that refused ransom demands. The incident highlights extortion tactics focused on data theft rather than system encryption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 12, 2025, UK-based healthcare provider HCRG Care Group confirmed it was investigating a cybersecurity incident after the Medusa ransomware gang claimed responsibility for stealing 2.275 terabytes of internal data. The attackers threatened to sell the data for $2 million, delete it for the same amount, or publicly leak it by February 27 if unpaid, while offering a daily delay option of $10,000 to extend negotiations. Leaked sample documents totaling 35 pages included passport and driver's license scans, staff rotas, birth certificates, and background check records. HCRG, which provides child and family health services for the NHS and local authorities with 5,000 staff and £250 million annual turnover, stated its systems remained operational with no observed suspicious activity following immediate containment measures. The attack did not involve system encryption, focusing solely on data exfiltration for extortion. Medusa’s dark web post marked the second major UK breach by the group in 2025, following a January attack on Gateshead Council that resulted in data publication after the council refused a $600,000 ransom.
HCRG engaged external forensic specialists to investigate the breach while maintaining normal patient services, advising the public to keep appointments. The healthcare group’s parent company, Twenty20 Capital, was not mentioned in relation to incident response activities. Medusa, active since late 2022, primarily targets Windows systems across technology, education, manufacturing, healthcare, and retail sectors, with US and UK organizations as frequent victims. Historical data from security firm Cybereason indicates 78% of organizations paying ransoms in 2023 suffered repeat attacks, with 63% facing higher subsequent demands. Palo Alto Networks’ Unit 42 researchers classify healthcare as one of Medusa’s top five targeted industries. The incident’s public disclosure timeline began with Medusa’s dark web announcement, followed by HCRG’s confirmation to media after identifying the post. No service disruptions or ambulance diversions occurred, contrasting with Medusa’s 2024 attack on Texas’ University Medical Center that forced operational limitations.