Full Report
The prolific Medusa ransomware group claims to have stolen troves of data from HCRG, including patients’ sensitive health data © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Medusa Ransomware Attack on HCRG Care Group
## Executive Summary
UK healthcare provider HCRG Care Group confirmed an ongoing investigation into an IT security incident after the Medusa ransomware group claimed responsibility for breaching their systems and exfiltrating over two terabytes of sensitive data. The compromised data included employee personal information, medical records, financial records, and government identification documents. HCRG is actively investigating with external forensic specialists and has implemented containment measures.
## Incident Details
- Discovery Date: Disclosed the week of February 17, 2025, following a dark web listing.
- Incident Date: Not explicitly stated, but related to the time of data exfiltration.
- Affected Organization: HCRG Care Group (formerly Virgin Care).
- Sector: Healthcare/Community Health and Care Services.
- Geography: United Kingdom.
## Timeline of Events
### Initial Access
- Date/Time: Unknown.
- Vector: Ransomware attack executed by the Medusa group.
- Details: Attackers gained access to HCRG's systems.
### Lateral Movement
- Details: Activity related to accessing and stealing sensitive files, leading to the exfiltration of over two terabytes of data.
### Data Exfiltration/Impact
- Details: Over 2 TB of data stolen, including employee PII, sensitive medical records, financial records, and government IDs (passports/birth certificates).
### Detection & Response
- Detection: Discovered when the Medusa group listed HCRG on their dark web leak site.
- Response Actions: HCRG confirmed the incident, engaged external forensic specialists, and implemented immediate containment measures. The U.K.’s Information Commissioner’s Office (ICO) was also informed.
## Attack Methodology
- Initial Access: Ransomware execution/breach (Specific initial vector like phishing or vulnerability exploitation is not specified).
- Persistence: Not specified, but implied necessary to facilitate data theft.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, but successful in exfiltrating 2 TB of data.
- Credential Access: Implied, given the access to employee PII and records.
- Discovery: Attacker performed reconnaissance to locate sensitive data stores.
- Lateral Movement: Implied movement through the network to access the compromised data sets.
- Collection: Gathering of employee information, medical records, financial data, and government ID scans.
- Exfiltration: Transfer of over two terabytes of collected data before being contained.
- Impact: Data theft and subsequent public listing on a dark web leak site.
## Impact Assessment
- Financial: Not disclosed, but costs will involve forensic investigation, remediation, potential regulatory fines, and customer notification.
- Data Breach: Over 2 TB of sensitive data, including PII, protected health information (PHI) of patients, financial records, and government IDs (passports, birth certificates) belonging to employees and potentially patients/partners.
- Operational: The nature of the response (investigation, containment) suggests operational disruption, though the extent is not detailed.
- Reputational: Significant reputational damage due to the breach of trust associated with handling sensitive patient and employee data.
## Indicators of Compromise
- Network indicators: None provided (No specific domains or IPs mentioned).
- File indicators: None provided.
- Behavioral indicators: Discovery of data exfiltration via the Medusa dark web leak site.
## Response Actions
- Containment: Immediate containment measures were implemented.
- Eradication: Ongoing investigation with external forensic specialists aims to determine the scope and remove persistence mechanisms.
- Recovery Actions: Not specifically detailed, but standard recovery protocols involving system restoration and security hardening would be underway.
## Lessons Learned
- Key Takeaways: Reliance on third-party providers (as HCRG partners with NHS trusts) still requires stringent endpoint and network security due to the high value of healthcare data.
- What could have been done better: Enhancing detection capabilities to spot the initial intrusion or data staging before the exfiltration phase.
## Recommendations
- Implement multi-factor authentication (MFA) across all critical systems, especially those accessing sensitive patient and employee records.
- Review and enhance data loss prevention (DLP) strategies to monitor and block large-scale unauthorized data egress.
- Conduct comprehensive penetration testing focused on identifying pathways to unauthenticated or standard accounts accessing PHI/PII repositories.