HCRG Cyberattack

A US-based independent cybersecurity journalist has declined to comply with a UK court-ordered injunction that was sought following their reporting on a recent cyberattack at UK private healthcare giant HCRG.

Law firm Pinsent Masons, which served the February 28 court order on behalf of HCRG, demanded that DataBreaches.net “take down” two articles that referenced the ransomware attack on HCRG.

The law firm’s notice to DataBreaches.net stated that the accompanying injunction was “obtained by HCRG” at the High Court of Justice in London to “prevent the publication or disclosure of confidential data stolen during a recent ransomware cyberattack.”

DataBreaches.net, run by a journalist who operates under the pseudonym Dissent Doe, declined to remove the posts, and also published details of the injunction in a blog post.

Dissent, citing a letter from their law firm Covington & Burling, said they would not comply with the order on grounds that DataBreaches.net is not subject to the jurisdiction of the UK injunction and that the reporting is lawful under the First Amendment in the US, where DataBreaches.net is based.

Implications of the Injunction

The details of the injunction offer a rare insight into how UK law can be used to issue legal demands to remove published stories that are critical or embarrassing to companies.

The law firm’s letter also confirms that HCRG was hit by a “ransomware cyber-attack.” HCRG, formerly known as Virgin Care and one of the largest independent healthcare providers in the UK, confirmed on February 20 it was investigating a cybersecurity incident after the Medusa ransomware gang claimed responsibility for the breach.

HCRG has more than 5,000 employees and covers a half million patients across the United Kingdom.