Health Firm Hits Data Breach Reporting Site With Bogus Takedown Demand To Vanish Reporting On Its Data Breach
Shooting the messenger is still the preferred tactic for short-sighted entities that have been embarrassed on main by having their own carelessness publicly exposed. Two articles on Databreaches.net (run by “Dissent Doe“) covered the discovery and eventual consequences of a ransomware attack on HCRG Care Group, a UK-based private healthcare provider.
The ransom demanded by the Medusa ransomware gang wasn’t put in place to unlock the personal data obtained by the attackers. Instead, it was more like blackmail: a threat to publish the data unless HCRG paid it $2 million to “buy back” the purloined data.
This sort of thing happens all the time, unfortunately. The only unusual aspect of this particular ransomware attack is that the attackers appeared to have abandoned locking up data in favor of collecting payment to prevent distribution of the data.
Unfortunately, equally as common is what happened here: the threatening of someone who did nothing more than report on events that have actually happened. Dissent Doe’s site was served with an alleged injunction order from a UK court that (also allegedly) mandated removal of Databreaches’ previous reporting on this incident.
The takedown Demand, sent to Dissent Doe by HCRG’s law firm, Pinsent Masons, sure sounded extremely… um… excessively wordy:
We urge you to read the enclosed Order closely. As you are now on notice of the fact and terms of the injunction, pursuant to paragraph 22 of the Order, it would be a contempt of court for you knowingly to assist or permit a breach of the Order, including by publishing on your website some or all of the Confidential Information stolen during the cyber-attack. Breach of the terms of the Order may result in imprisonment, a criminal fine or having your assets seized.
Accordingly, you should take the necessary steps to ensure that none of the Confidential Information is published or disclosed on your website, and take down the following articles which contain descriptions and screenshots of some of the Confidential Information:
Article of 24 February 2025 entitled ‘UK: More details emerge about ransomware attack on HCRG by Medusa – DataBreaches.Net; and
Article of 26 February 2025 entitled ‘Medusa Unveils Another 50TB of Stolen Data from HCRG Care Group, Giving Greater Insight Into the Scope of the Breach -Data Breaches.Net.
Having been so urged, Dissent Doe read the letter and the injunction order. Perhaps HCRG’s legal reps would have been better off “urging” them to “skim over this order to get the gist of it,” rather than directing them to “read” these documents “closely.”
Under closer examination, two things immediately stood out. First, nowhere in the legal documents is Dissent Doe or their website listed as a defendant. Second, this order was obtained without notice to Dissent Doe and the target of the order was never given a change to argue their case, much less file anything to object to the proposed injunction.
Here’s Dissent Doe, objecting to the order, albeit in blog post form:
The court did not offer any reason at all — much less a compelling one — not to notify journalists whose work it would be censoring. Nor did it provide any justification at all for censoring media coverage of HCRG’s ransomware attack even though there is nothing unusual about the incident or the reporting on it to date. If there was any civil law violated that would justify censorship, the injunction failed to state it.
[…]
If the injunction itself didn’t name DataBreaches.net and if it didn’t mention the two posts either by URL or even by description, then how could DataBreaches be sure that the court intended to order this site to remove those two posts and not just one of them, or neither of them? Shouldn’t a court order be quite specific as to whom it applies and what they are required – exactly – to do or not do? There was no such specificity in this injunction.
Lots of missing pieces, none of which add up to compliance, immediate or otherwise. However, there was a clause in the injunction order that made it explicitly clear Dissent Doe was under no obligation to comply with this strongly worded letter and vaguely worded court order:
Except as provided in paragraph (2) below, the terms of this Order do not affect or concern anyone outside the jurisdiction of this Court.
There it is. US entities are not subject to UK court jurisdiction. Paragraph (2) explains how a US entity might become subject to this court, but it would involve a whole lot of things that aren’t happening here, like Doe having an appointed legal representative residing in the UK and having been given notice of this legal action at a residence or place of business that is within the jurisdiction of UK law.
Doe sent a letter back to HCRG’s legal reps pointing out all these things that justified the site’s non-compliance with the completely ineffective injunction order they had obtained. Rather than take the loss in dignified silence, HCRG sent a letter to Dissent Doe’s domain registrar demanding the same removal of content. The registrar forwarded this request to Dissent Doe, who again pointed out why it didn’t apply to their site and, additionally, did not apply to the registrar either. After a brief conversation, the registrar dumped the service ticket generated by this bogus legal threat and informed Doe no action would be taken against their site.
At this point, the posts remain live. And, for the moment, HCRG’s lawyers are still silent. It’s been 10 days since the last effort by Pinsent Masons, so one assumes this self-own is over and its lawyers are gently explaining the legal concept underpinning their failure. Hopefully, this will be the end of it.
But even if it is, this sort of thing just never goes away, even if, in almost every case, these threats rarely manage to dislodge content breach/ransomware victims want to keep out of the public eye. It’s never about preventing people from accessing data that’s been obtained via illegal means. It’s always about minimizing public exposure. The faster they can bury reporting, the longer they can wait before having to inform their users and customers that their personal information is now in the hands of criminals. And the longer they can keep this out of the news, the longer they can enjoy the profit margins/share prices they’re used to, even if the long-term damage wouldn’t last nearly as long if they’d just rip the band-aid off and get on with treating the wound.