Cyber Incident Victim: Transform Hospital Group
Date:
Dec 2020
Location:
United Kingdom
Summary
A ransomware group known as REvil breached the IT systems of a UK-based cosmetic surgery provider, stealing sensitive patient data including before-and-after photographs and threatening to publish the material. The attackers claimed possession of over 900 gigabytes of intimate patient images, though many reportedly lacked facial identifiers. The compromised data involved personal details but excluded payment card information. The organization notified regulators and contacted affected customers about potential exposure of private medical records, prompting concerns among patients about confidentiality breaches and unwanted disclosure of surgical procedures. The incident exemplifies double-extortion tactics increasingly employed by ransomware operators, who both encrypt systems and threaten data leaks to pressure victims. REvil has previously targeted high-profile entities across multiple sectors using similar strategies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2020, the Transform Hospital Group (also known as The Hospital Group), a UK-based cosmetic surgery and weight loss provider with 11 clinics, suffered a ransomware attack by the cybercriminal group REvil (also identified as Sodinokibi). The attackers infiltrated the company’s IT systems, exfiltrating over 900 gigabytes of sensitive patient data, including before-and-after photographs documenting surgical procedures such as breast augmentations, chest reductions, nipple corrections, and nose adjustments. REvil threatened to publish these "intimate photos," which it disparagingly described as "not a completely pleasant sight," on its darknet site unless a ransom was paid. The group also claimed possession of additional personal data, though specific details beyond the photographs were not disclosed in their public statements. Transform Hospital Group confirmed the breach in a public announcement, stating that while patient payment card details remained uncompromised, personal data—including the photographs—had potentially been accessed. The company notified the UK Information Commissioner’s Office of the incident and initiated direct communications with affected patients via email, pledging further contact with individuals whose more sensitive details were at heightened risk.
The breach raised significant privacy concerns among patients, particularly due to the deeply personal nature of the stolen imagery. One patient, Simon Hails, who underwent chest reduction surgery, reported receiving only a generic email referencing a "data security incident" without explicit mention of the ransom threat or the specific exposure of his pre- and post-operative photos. Hails expressed distress over the potential public disclosure of these images, emphasizing that he had kept his surgery private from friends and colleagues. Transform Hospital Group noted that many of the photographs did not include patients’ faces, potentially limiting identifiability, though this did not eliminate risks given the distinctive nature of surgical imagery. The incident occurred amid a reported 25% surge in the company’s surgery requests since 2019, attributed by CEO Tony Veverka to heightened health consciousness during the COVID-19 pandemic. REvil, a prolific ransomware operator linked to high-profile attacks against Travelex and Grubman Shire Meiselas & Sacks, employed a double-extortion tactic—stealing data before encrypting systems—to pressure victims into paying ransoms. Law enforcement agencies globally discourage such payments, citing their role in sustaining criminal enterprises like REvil, which cybersecurity firm Emsisoft estimated earned $25 billion from ransomware operations in 2020 alone. Transform Hospital Group’s breach underscored the vulnerabilities of healthcare-adjacent entities storing highly sensitive visual data and the escalating risks of ransomware gangs weaponizing personal information beyond financial records.