Cyber Incident Victim: Transform Hospital Group

In December 2020, UK-based Transform Hospital Group suffered a ransomware attack attributed to the REvil (Sodinokibi) threat actor group. The attackers publicly claimed responsibility on their dark web leak site, posting screenshots of directories from the compromised systems as evidence. REvil asserted they had exfiltrated approximately 600 GB of sensitive data, which they categorized into two primary components: a 20 GB folder labeled "Pacient Personal" containing patient records and personal data, and a 50 GB folder labeled "TMG OFFICIAL Documents" containing corporate files. The threat actors specifically referenced possession of customers' intimate photos in their statement, adding a coercive element to their data disclosure threats. Analysis of the posted screenshots suggested the data exfiltration occurred on or around December 6. REvil announced intentions to release the first batch of stolen files the following week, escalating pressure on the organization to meet potential ransom demands.

Transform Hospital Group confirmed the data security breach through an official statement, acknowledging unauthorized access to patient personal data while clarifying that payment card details remained uncompromised. The organization initiated immediate response measures by securing affected IT systems and launching a full investigation to determine the incident's scope. All patients were notified about the potential exposure of their information, with commitments to provide ongoing updates as the investigation progressed. The company engaged multiple external response partners, including the UK's National Cyber Security Centre, Information Commissioner's Office, specialized cybersecurity consultants, and law enforcement agencies. This coordinated response aimed to contain the incident, assess regulatory implications under data protection laws, and pursue potential attribution of the attackers through investigative channels.