Hacked health firm HCRG demanded journalist ‘take down’ data breach reporting, citing UK court order

A U.S.-based independent cybersecurity journalist has declined to comply with a U.K. court-ordered injunction that was sought following their reporting on a recent cyberattack at U.K. private healthcare giant HCRG.

Law firm Pinsent Masons, which served the February 28 court order on behalf of HCRG, demanded that DataBreaches.net “take down” two articles that referenced the ransomware attack on HCRG. 

The law firm’s notice to DataBreaches.net, which TechCrunch has seen, stated that the accompanying injunction was “obtained by HCRG” at the High Court of Justice in London to “prevent the publication or disclosure of confidential data stolen during a recent ransomware cyberattack.”

The firm’s letter states that if DataBreaches.net disobeys the injunction, the site may be found in contempt of court, which “may result in imprisonment, a criminal fine or having your assets seized.”

DataBreaches.net, run by a journalist who operates under the pseudonym Dissent Doe, declined to remove the posts, and also published details of the injunction in a blog post Wednesday.

Dissent, citing a letter from their law firm Covington and Burling, said they would not comply with the order on grounds that DataBreaches.net is not subject to the jurisdiction of the U.K. injunction, and that the reporting is lawful under the First Amendment in the United States, where DataBreaches.net is based. 

Dissent also noted that the text of the court order does not specifically name DataBreaches.net nor reference the specific articles in question.

Legal threats and demands are not uncommon in cybersecurity journalism, since the reporting often involves uncovering information that companies do not want to be made public. But injunctions and legal demands are seldom published over risks or fears of legal repercussions.

The details of the injunction offer a rare insight into how U.K. law can be used to issue legal demands to remove published stories that are critical or embarrassing to companies. 

The law firm’s letter also confirms that HCRG was hit by a “ransomware cyber-attack.”

HCRG, formerly known as Virgin Care and one of the largest independent healthcare providers in the U.K., confirmed on February 20 it was investigating a cybersecurity incident after the Medusa ransomware gang claimed responsibility for the breach, saying it had stolen two terabytes of data from the company’s systems. HCRG has more than 5,000 employees and covers half-a-million patients across the United Kingdom.

When reached by TechCrunch, HCRG spokesperson Alison Klabacher said: “We can confirm that we took legal action aimed at preventing republication of any data accessed by the criminal group, to minimise potential risk to those who may have been affected.” 

“We are investigating the incident with the support of external specialists and will notify (and have notified) anyone affected as necessary based on our investigation,” HCRG’s spokesperson added.

A spokesperson for Pinsent Masons, the law firm representing HCRG, did not provide comment by the time of publication. 

According to the legal demand, Pinsent Mason cited two posts published on DataBreaches.net, which reported that the Medusa ransomware gang had taken credit for the HCRG cyberattack, and that the criminal gang was threatening to publish reams of personally identifiable information and sensitive health data if HCRG did not pay a ransom. The gang published several screenshots of the stolen data on its dark web leak site as evidence of their claims. 

The posts published on DataBreaches.net contain much of the same information that TechCrunch and other outlets have independently confirmed and reported.

According to Dissent, Pinsent Masons sent the injunction to DataBreaches.net’s domain registrar, which in turn warned that DataBreaches.net would have its web domain suspended if the posts were not removed. The domain registrar later reversed course and declined to suspend DataBreaches.net, said Dissent.

HCRG has not yet publicly disclosed the breach on its website. Dissent said in their blog post Wednesday that in absence of updates from HCRG, much of the details about HCRG’s cyberattack have been covered by independent journalists, including cybersecurity blog SuspectFile, which broke new details about the HCRG cyberattack.

Dissent said that the court’s injunction otherwise “would prevent the public from finding out that the breach was a serious one with likely many people affected,” and “could open the door to widespread censorship of journalists in the U.K. or elsewhere.” 

“Journalists with any connection to the U.K. might be emailed injunctions demanding they remove past reporting on data stolen from U.K. entities, or they could be prohibited from any future reporting on any data stolen from a U.K. entity,” said Dissent.