Serious data breach of patient information suffered by Transform Hospital Group

Leading data breach lawyers say that the announcement by Transform Hospital Group, that some of their patient data had been hacked, is likely to lead to substantial claims for compensation by those affected.

The Transform Hospital Group operates 11 private clinics across the UK specialising in a range of treatments including bariatric weight loss surgery, breast enlargements, nipple corrections and nose adjustments.

In a statement on their website dated 5th January 2021 entitled ‘Notice of Data Security Incident’, they confirmed that they had suffered a data security incident in which “an unauthorised third party” accessed elements of their IT system on 6th December 2020 as a result of which they have “identified the possibility that some personal data relating to a small minority of individuals may have been extracted during the incident”.

They confirmed that they “will be writing separately to anyone who could be affected by this”.

On the basis of emails sent by Transform Hospital Group to potentially affected patients, the information that may have been accessed includes the following:

• Name;
• Address;
• Telephone number (home and / or mobile);
• Medical history;
• Ethnicity;
• Email address;
• Date of Birth;
• Religion;
• GP details;
• Details of operation sought;
• Signature;
• Patient photos.

Transform Hospital Group state that they do not believe that patients’ payment card details were accessed.

They have also stated that they have taken steps to secure their system against further unauthorised access, have instructed a specialist IT and security specialist to investigate the incident and have reported the matter to the relevant regulators, including the Information Commissioner’s Office and National Cyber Security Centre, and the Police.

While not addressing issues relating to the disclosure of highly sensitive personal medical information in their letter to potentially affected patients, Transform Hospital Group identify a risk that some of the disclosed information could be used by criminals to commit identity theft or fraud.

If you think you have been affected and would like to find out more information about a potential claim, please fill in our form.

Ransomware

Articles in the national and specialist IT media, indicate that Transform Hospital Group suffered a ransomware attack. Ransomware attacks typically involve criminals gaining access to an IT system, stealing data and threatening to release it unless a ransom is paid. In this case, it is believed that REvil also known as Sodinokibi, one of the most prolific ransomware groups, is responsible.

On its darknet webpage, it posted screen shots of directories from the IT system and has said it had the personal data, including "intimate photos" of patients.

Compensation

Sean Humber, a data breach specialist at Leigh Day, who has successfully acted in a series of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, stated:

“Sadly, it seems clear that Transform Hospital Group have failed to keep their patients’ personal information secure and this is likely to represent a breach of the duty of confidence they owe to each of its patients and a misuse of their patients’ private information as well as being a breach of their obligations under General Data Protection Regulation (GDPR).

"As such, those affected, are likely to be entitled to compensation for the loss of control over this information, the distress and anxiety caused by the breach as well as any financial losses that they may have suffered. Given that the data breach includes very sensitive medical information, it is likely that this compensation will be substantial.

“It is important to remember that these claims for compensation by affected patients are entirely separate from any regulatory fine that the Transform Hospital Group may now face from the Information Commissioner’s Office for breaches of the GDPR.”

Gene Matthews, a data breach solicitor at Leigh Day, who has successfully acted in a succession of group claims over the last 15 years, added:

“This is likely to be an uncertain and worrying time for those affected. It is important that the Transform Hospital Group keep affected patients fully updated about the breach, including who were responsible, what personal information has been accessed and whether there is any evidence that it has been published further. In the meantime, they must also pay for those affected to buy identity theft and fraud monitoring protection.”