Late yesterday, ransomware group RansomHub added NRS Healthcare to its data leak site. Comparitech contacted NRS Healthcare about the claims and received confirmation that the cyber attack that has been disrupting the UK-based healthcare company since the start of April is a ransomware attack. RansomHub alleges to be in possession of 578 GB of data, including over 600,000 private documents.
NRS Healthcare’s statement to Comparitech is as follows:
At the start of April, NRS Healthcare experienced a cyber security incident, and the Company sincerely apologises to all those affected.
The Company’s business continuity plan was swiftly implemented, its systems taken offline and external experts appointed to help investigate what had happened. Since then, specialist teams have been working relentlessly to minimise disruption for service users, commissioners and prescribers and to restore functionality safely and swiftly; the business has now moved into recovery phase.
Simultaneously, external experts have been monitoring online sources for any mention of NRS Healthcare and/or its data. Unfortunately, a post has today been identified which names the Company and includes some data taken from its systems.
At this stage, it is understood that the affected data relates only to an internal part of the Company’s network and is not from core customer systems; however, the possibility cannot be ruled out that elements of data including information related to customers could have been copied to the internal part of the network.
RansomHub’s claim does appear to relate to company documents as it says it is in possession of over 600,000 private documents, including financial reports, contracts, and accounting documents. But the likelihood of some personal data being among this remains high, particularly for employees. As NRS Healthcare continues its investigations into the data stolen by RansomHub, it is highly recommended that both customers and employees are on high alert for phishing emails, texts, and phone calls. They should also monitor bank accounts and credit reports for any unusual activity.
NRS Healthcare hasn’t confirmed what ransom was demanded, whether one was paid (RansomHub’s posted would suggest it hasn’t, however), or how the threat actors were able to infiltrate its systems.
Who is RansomHub?
RansomHub is a new ransomware group thought to have ties with Russia. It posted its first victim in February 2024 and since then we have tracked 48 attacks via this group. 47 of these attacks remain unconfirmed with one being confirmed. The latter is an attack on a finance company (Sociedad de Ahorro y Crédito Constelación) in El Salvador.
Most notably, however, was RansomHub’s recent claim to be in possession of the data stolen in the Change Healthcare attack. The group’s extortion came after Change Healthcare had already paid a $22 million ransom to ALPHV/BlackCat.
In the case against NRS Healthcare, RansomHub is following a double-extortion technique by demanding a ransom for a decryption key to unlock the company’s systems and one for deleting all of the stolen data.
Ransomware attacks on UK healthcare organizations
This attack on NRS Healthcare joins two other confirmed incidents on businesses operating in the healthcare sector in the UK so far this year. The Richmond Fellowship Scotland was hit by Medusa in January 2024 when the group demanded a $300,000 ransom. And INC carried out the highly-disruptive attack on NHS Dumfries and Galloway which crippled key systems but also saw sensitive patient data being leaked online.
Worldwide, we tracked 212 confirmed ransomware attacks on businesses in the healthcare sector in 2023. This affected at least 45,987,706 records. So far this year, we’ve logged 42, affecting over 1.3 million records. We have also tracked 116 unconfirmed attacks in this sector for 2024.
More about NRS Healthcare
Based in Coalville, Leicester, NRS Healthcare specializes in healthcare equipment manufacturing and services. It provides equipment to over 250,000 homes each year and also provides and repairs wheelchairs for the NHS.