UK healthcare provider notifies patients of ransomware breach more than a year after Medusa attack
Overview
HCRG Care Group, a major UK-based healthcare services provider, began notifying patients in mid-2026 of a ransomware attack that took place in February 2025 — more than twelve months after the incident occurred. The Medusa ransomware gang claimed responsibility for the breach at the time and publicly asserted it had exfiltrated sensitive data from HCRG's systems. When contacted in early 2025, HCRG confirmed only that an investigation was underway and declined to provide further detail.
While HCRG remained publicly silent, independent security researchers at SuspectFile obtained and published analysis of data that Medusa made available, making clear that patient and employee records had been compromised well before any official notification reached those affected. The gap between the breach, the public exposure of stolen data, and the formal notification to patients now spans well over a year.
Although HCRG operates under UK regulatory frameworks — principally the UK GDPR and oversight by the Information Commissioner's Office rather than HIPAA — the incident is directly relevant to healthcare compliance officers in any jurisdiction. The pattern of delayed disclosure following a ransomware extortion event, compounded by data being publicly circulated before patients were warned, illustrates risks that apply broadly across the healthcare sector.
Key developments
Medusa claimed the breach publicly in February 2025. The ransomware group named HCRG as a victim and asserted it held a substantial volume of exfiltrated data. HCRG's public response at the time was limited to acknowledging an investigation, without confirming the scope or nature of any data loss.
Third-party researchers surfaced the stolen data before any official disclosure. SuspectFile examined data provided by Medusa and reported on its contents, meaning affected individuals could learn their records were exposed through media coverage rather than from the organization that held their data. This sequence — breach, public data exposure, then official notification — creates particular harm because patients have no opportunity to take protective steps during the gap.
Notification to patients came more than twelve months after the attack. The delay raises direct questions about the sufficiency of HCRG's incident-response timeline and its obligations under UK GDPR, which generally requires notification to regulators within 72 hours of a confirmed breach and to affected individuals without undue delay. A year-long lag is difficult to reconcile with those standards absent extraordinary circumstances.
Medusa continues to operate as an active ransomware-as-a-service threat to healthcare. The group has targeted healthcare entities across multiple countries. Its willingness to publicly release or circulate stolen data as leverage means that affected patients face compounding risks: the initial data theft and the downstream exposure that follows when ransom demands go unmet.
Industry impact
Ransomware attacks against healthcare organizations carry costs well beyond the ransom demand itself. According to IBM's Cost of a Data Breach Report, healthcare consistently records the highest average breach cost of any industry sector, exceeding $10 million per incident in recent years. A significant share of that cost is attributable to post-breach notification, regulatory response, and reputational damage — all of which scale with notification delay.
The HCRG case also highlights a documented pattern in ransomware extortion: threat actors routinely publish or sell stolen data when organizations decline to pay or stall on negotiations. OCR enforcement data in the United States shows that ransomware is now the leading cause of large healthcare breaches reported to HHS, accounting for the majority of individuals affected in recent annual reporting periods. UK and US regulators have both signaled that slow notification timelines will draw scrutiny regardless of how complex the underlying investigation is.
For independent practices, the HCRG timeline is a practical illustration of what delayed incident response looks like from the outside — and how media and researcher disclosure can reach patients before organizations are ready to communicate. That sequencing erodes trust in ways that are hard to recover.
## What this means for independent practices
- Establish a breach-response timeline in writing before an incident occurs. Know the notification deadlines that apply under HIPAA's Breach Notification Rule (60 days from discovery for individual notification; immediate reporting to HHS for breaches affecting 500 or more individuals in a state) and build a documented workflow around them.
- Do not conflate "investigation ongoing" with "notification can wait." HIPAA permits practices to notify based on available information and supplement as more is learned. Waiting for a complete forensic picture before notifying is not required and, in large incidents, is unlikely to be defensible.
- Assume that stolen data will surface publicly. If a ransomware group exfiltrates records, treat public exposure as a near-certainty rather than a risk to be managed later. Notify affected individuals as early as the law allows so they can monitor for fraud, not after they read about it in the news.
- Verify that business associates carry their own breach-response obligations. Any vendor or partner that handles PHI on a practice's behalf is bound by HIPAA's Breach Notification Rule and must report breaches to the covered entity. Confirm that contracts and incident-response plans reflect this chain of obligation.
- Test the incident-response plan at least annually. Tabletop exercises that simulate a ransomware extortion scenario — including the communications timeline — reveal gaps before a real event forces them into the open.
Independent practices that have not formalized their breach-notification procedures face the same disclosure obligations as large healthcare systems, but typically with fewer internal resources to manage a response under pressure. Building and rehearsing a notification workflow in advance is the single most effective way to avoid the kind of protracted silence that has defined the HCRG incident.
What would have prevented this
Immutable, segmented backup systems: Maintaining offline or logically isolated backups that ransomware cannot encrypt or delete allows organizations to restore systems without negotiating with threat actors, reducing the pressure that leads to delayed disclosure while extortion discussions continue.
Network segmentation and lateral-movement controls: Dividing clinical and administrative systems into isolated segments limits the volume of data a ransomware group can reach after initial access. Smaller blast radius means fewer affected records and a narrower notification obligation.
Privileged access monitoring: Continuous logging and alerting on accounts with elevated permissions — the pathway most ransomware groups use to move through a network and stage data for exfiltration — can surface an intrusion before large volumes of data leave the environment.
Documented incident-response and notification procedures: A written plan that maps regulatory notification deadlines, assigns ownership for each step, and includes pre-approved communication templates allows an organization to notify in parallel with investigation rather than waiting for investigation to conclude.
Endpoint detection with rapid containment capability: Controls that identify anomalous file-encryption activity and can isolate affected endpoints automatically or within minutes limit how far an attack progresses before defenders can respond, reducing both the data volume exfiltrated and the total recovery timeline.