Medical equipment supplier NRS Healthcare confirms ransomware attack

Ransomware concept image showing digitized padlock pictured on a laptop screen on red background
(Image credit: Getty Images)

UK healthcare equipment provider NRS Healthcare has confirmed that it suffered a ransomware attack in early April after the RansomHub group added the firm to its leak site.

RansomHub said it successfully breached the firm on 30 March, stealing hundreds of thousands of sensitive documents.

"More than 600k private documents was downloaded, including: Accounting, HR, Financial reports, Reception, Contracts and much more,” the group said on its leak site.

"Company itself has offices in almost every state of the United Kingdom. Every office was targeted and attacked."

RansomHub claims to be in possession of 578 GB of data, including over 600,000 documents, including financial reports, contracts, and accounting information. It's also possible that there's personal data, particularly of employees, in the mix.

The group is demanding payments for both unlocking the company's systems and deleting the data, in a double-extortion demand. According to a countdown on the site, the group has given NRS Healthcare just eight more days to pay up before the data is released.

NRS Healthcare told Comparitech that it suffered a ransomware attack, taking all its services – phone lines, email, and websites – offline. It's also confirmed that data has been accessed.

"External experts have been monitoring online sources for any mention of NRS Healthcare and/or its data. Unfortunately, a post has today been identified which names the company and includes some data taken from its systems," the firm said..

"At this stage, it is understood that the affected data relates only to an internal part of the company’s network and is not from core customer systems; however, the possibility cannot be ruled out that elements of data including information related to customers could have been copied to the internal part of the network."

The company has put its business continuity plan into action, taken systems offline, and appointed external experts to help investigate. In a statement, the firm said it's doing all it can to minimize disruption for service users, commissioners, and prescribers, and restore functionality quickly and safely.

It hasn't confirmed the ransom demand, however, or how the attack was carried out.

ITPro has approached NRS Healthcare for comment.

NRS Healthcare the latest RansomHub victim

RansomHub, believed to have ties with Russia, posted its first victim in February 2024, the Brazilian business management company YKP.

Since then, Comparitech said it's tracked 48 attacks via the group including a confirmed attack on finance company Sociedad de Ahorro y Crédito Constelación in El Salvador.

It also claimed to be in possession of 4TB of data from Change Healthcare, originally stolen by ALPHV/BlackCat, despite the fact that the company had already paid a $22 million ransom.

There's been speculation that RansomHub may consist of previous members of ALPHV/BlackCat.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.