A complete guide to the Hammersmith Medicines Research data breach

Share on facebook
Share on twitter
Share on linkedin

In 2020, a hacker group targeted Hammersmith Medicines Research (HMR). After successfully infiltrating HMR’s systems, the criminals accessed some extremely sensitive and private data belonging to former volunteers. This data breach has had a serious impact on those affected and, at Keller Lenkner UK, we are helping victims of the HMR data breach to claim compensation and achieve justice.

In this handy guide, we’ve explained what happened in this breach, how you can find out if your data was breached, and what you can do about it.

A quick summary of the Hammersmith Medicines Research data breach

On 14th March 2020, the Maze ransomware group attacked the computer systems of HMR. The notorious group has targeted many organisations across the globe. Later in 2020, Maze said it was shutting down, but not before it was credited for popularising data leak extortion tactics that have now become popular with other hacker outfits.

HMR has performed over 850 medical trials and regularly seeks healthy volunteers to participate in early clinical trials of drugs and vaccines. But the data security systems at HMR may not have been up to scratch.

The hackers stole:

  • Names
  • Dates of birth
  • Identity documents (scanned passport, National Insurance card, driving licence and/or visa documents, and any photographs taken at the screening visit)
  • Health questionnaires
  • Consent forms
  • Information from GPs
  • Some test results (including, in a few cases only, positive tests for HIV, hepatitis, and drugs of abuse).

The hackers may also have had access to bank details.

With the stolen files likely to date back 20 years, our early investigations indicated that hundreds of thousands of people could be involved in the HMR data breach. The affected people had all taken part in research trials.

According to media reports at the time, HMR did not have the funds to pay the ransom demanded by the hackers. Malcolm Boyce, managing and clinical director and doctor at HMR said “We have no intention of paying. I would rather go out of business than pay a ransom to these people”.

In response to this refusal, the cyber gangsters published the personal and medical details of more than 2,300 former volunteer patients online. The published records were from some volunteers with surnames beginning with D, G, I or J. However, HMR admitted that criminals might still have your data, even if your records weren’t among those published.

Many people still do not know that their personal data was involved in this privacy violation

Despite HMR contacting some of those affected, of those who have started a data breach claim with Keller Lenkner UK, approximately 60% have not received this confirmation from HMR. So, you could be involved in the HMR data breach and not know it.

If you have previously volunteered for a medical trial with HMR (also via londontrials.com), but you have not received an email notifying you about the breach, it is worth checking your spam folder. Likewise, if you have volunteered for a student medical trial, it is worth checking to see if this was with HMR.  Of course, by now, this email could have been automatically deleted.

Worryingly, this means that cybercriminals could have access to your information without you putting any security measures in place. And there is a real risk that anyone exposed in the data breach could see criminals use their stolen identity documents to commit further crimes including data theft and financial fraud. An increase in phishing attempts is also likely. When a data breach occurs, stolen personal information can also be found for sale on the dark web. So victims of the Hammersmith Medicines Research data breach must be extra vigilant.

Find out if you are involved in this data breach

HMR knows exactly who was impacted by this data breach, and all you must do to find out if your details were exposed in this breach is to ask HMR if you were involved.  If you are worried that your information has been exposed, you can check at DataProtection@hmrlondon.com.

But to make things easy for you, if you appoint Keller Lenkner UK, we can make a data request to find this out for you. Simply sign up with us and we will contact HMR on your behalf. We are taking on all HMR claims on a no-win, no-fee basis.

HMR was negligent in safeguarding your data due to insufficient security systems. Just because it was a victim of a crime does not mean it is any less liable.

If you have been affected by this hack, register with Keller Lenkner UK to find out how we can help you claim compensation in a no-win, no-fee case. 

Contact Keller Lenkner UK to discuss a HMR data breach claim today.

Share this article:

Share on facebook
Share on twitter
Share on linkedin