Judgment clarifies ransomware's legal implications

The recent court ruling in HCRG Care Limited v Persons Unknown highlights the complex interplay between data protection and cyber threats in healthcare
On 2 April 2025, Deputy High Court Judge Susie Alegre delivered a pivotal judgment in the case of HCRG Care Limited v Persons Unknown ([2025] EWHC 794 (KB)), shedding light on the legal ramifications following a ransomware attack on HCRG Care Limited, a prominent UK health and care organisation with about 4,500 employees. Commissioned by the NHS and local authorities, HCRG provides critical healthcare services, thus raising significant concerns regarding data protection and privacy.
The legal proceedings arose from events that transpired between 26 January and 12 February 2025, during which the unidentified perpetrators, referred to as “Persons Unknown,” unlawfully infiltrated HCRG’s IT systems, leading to the theft of confidential data. On 12 February, HCRG learned of the breach and the ransomware attack, which involved the disclosure of some stolen data. In response to this alarming situation, HCRG sought an interim injunction to forestall further data disclosure, secured by Mr Justice Soole on 28 February 2025.
Judge Alegre’s task was to evaluate the return date for this interim injunction, examining the evidence presented by HCRG, including witness statements and detailed claims. A significant aspect of the court’s consideration was the Claimant's request for a private hearing due to the sensitive nature of the compromised data. The judge referenced the Practice Guidance on Non-Disclosure Orders, noting that public hearings are the standard unless exceptional circumstances necessitate confidentiality. She found that the breach of confidential data constituted such exceptional circumstances.
In her analysis, Judge Alegre also addressed the potential consequences of the injunction on freedom of expression. While she indicated that the Defendant's Article 10 rights were not directly implicated, the court recognised that injunctions could affect the broader context of reporting on criminal activities. Ultimately, she underscored that the Defendant had been informed of the injunction and that HCRG had undertaken substantial efforts to notify relevant parties about the order.
To facilitate proceedings, Judge Alegre determined it appropriate to consider the application based on written submissions, avoiding the need for parties to appear physically. Citing precedents, she illustrated how similar cases have previously been adjudicated, referencing the Theft Act 1968 and the judiciary’s historical prioritisation of protecting sensitive information against unfettered free speech, especially in cases involving threats to release confidential information.
The court ultimately concluded that there was a serious issue to be tried, affirming the injunction's significance in preventing further harm resulting from the cyber-attack. Consequently, Judge Alegre continued the injunction, reinforcing the court’s commitment to safeguarding legal protections against confidentiality breaches amid rising digital threats.
The judgment in HCRG Care Limited v Persons Unknown opens crucial discussions regarding data protection, cyber security, and the judiciary's role in balancing confidentiality with public interest in the modern digital landscape. As cybercrime continues to escalate, this case highlights the urgent need for robust legal frameworks and diligent enforcement to safeguard sensitive personal and corporate data