Transform Hospital Group Ltd., also known as The Hospital Group, suffered a cyberattack which resulted in extremely sensitive customer data theft. Transform provides cosmetic and weight loss surgery, including breast enhancement procedures across several clinics. The UK cosmetic surgery provider admitted that a ransomware data security incident had hit it and that cybercriminals may have accessed some of its patients’ personal data.
Here’s what we know about this breach so far.
What happened in the Transform Medical data breach?
In December 2020, The Transform Hospital Group fell victim to a ransomware attack. The ‘REvil’ ransomware group claimed responsibility for the attack. On its dark web page, REvil said that it had obtained around 900 gigabytes of “the most important documents, personal data of customers, as well as intimate photos of these customers (this is not a completely pleasant sight)”.
It also provided screenshots of the files as proof.
REvil then threatened to post files online. If REvil is behind the attack, there is a chance the group will demand a ransom payment. However, even if Transform pays the ransom, there is no guarantee that cybercriminals will not publish the stolen data.
The screenshots indicate that the data was stolen on or about 6 December 2020.
What do we know about REvil?
REvil is an infamous ransomware group. It has previously attempted to extort companies and public figures including Donald Trump, Lady Gaga and Madonna. It is thought that the group might be based in Russia.
What personal data was breached and how?
We understand that the hackers have access to personal patient details including medical history, GP details, and operation information. The criminals also accessed the intimate pictures of some patients (apparently these before and after photos do not include faces).
Have the affected individuals been notified?
The Transform Hospital Group has informed all customers via email about the data breach and has individually contacted those who may have had their personal details accessed.
If you have been a patient at the Transform Hospital Group and have not received this email, you should check your spam folder. You might also want to contact the company to see which of your details were exposed in the hack. This is called making a Subject Access Request.
Should victims of this data breach be worried?
Unfortunately yes. The consequences of a breach like this could include fraud, blackmail, identity theft and more. Those affected are likely to be experiencing high levels of distress.
One former patient who had chest reduction surgery with The Hospital Group told the BBC that he was “concerned as the last thing I want is ‘before photos’ being splattered around in the public domain. I’ve tried to keep my surgery private and not even some of my friends and colleagues know about it, so the data breach is concerning for me.”
How did Transform respond to the attack?
Transform confirmed the ransomware attack and informed the Information Commissioner’s Office (ICO) of the breach (as it is legally obliged to do). It also emailed all customers about the attack. However, many of those affected by the breach now have questions about The Hospital Group’s data security.
Can you make a medical data breach compensation claim?
If you have been affected by the Transform Hospital Group data breach, we can help you make a compensation claim for:
- the failure to protect your private and sensitive information.
- any emotional distress suffered
- any other losses experienced due to the breach (e.g. if cybercriminals used your details to carry out theft or fraud).