Data Breach Injunction: HCRG Care Ltd v Persons Unknown [2025]
HCRG Care Ltd v Persons Unknown [2025] EWHC 794 (KB): Cyber Extortion and the Protection of Confidential Data
In a judgment concerning data privacy and interim injunctive relief, the High Court in HCRG Care Ltd v Persons Unknown [2025] EWHC 794 (KB) granted a continuation of a without notice injunction to restrain the dissemination of confidential information. The case arose following a ransomware attack on HCRG Care Ltd, a major provider of health and social care services commissioned by the NHS. Between January and February 2025, an anonymous hacking group self-identified as “Medusa” exfiltrated large volumes of sensitive data and issued a demand for payments under threat of public disclosure.
The judgment is concerned with misuse of private information, injunctions to prevent publication, and the protection of confidential data following a data breach. It shows the English courts’ willingness to grant emergency relief, including service out of the jurisdiction and orders against persons unknown, in response to digital extortion and reputational threats. The judgment also confirms that attempts to coerce payment through threats to publish stolen data fall outside the scope of Article 10 ECHR and attract no protection under the Human Rights Act 1998.
This article examines the High Court’s reasoning, the approach to interim injunctions under the American Cyanamid principles, the procedural handling of anonymous foreign defendants, and the interaction between cyber blackmail, privacy law, and freedom of expression.
If you have been affected by a data breach, are facing threats of unlawful publication, or require urgent legal advice on protecting confidential information, contact Carruthers Law. We can secure emergency injunctions, privacy and reputational protection. Call 0203 846 2862 or 0151 541 2040 for expert assistance.
Factual Background
HCRG Care Ltd (“HCRG”) is a national health and care services provider with approximately 4,500 employees, commissioned by the NHS and local authorities to deliver various healthcare and support services. In early 2025, HCRG suffered a ransomware cyber -attack. Between 26 January and 12 February 2025, a group of unknown attackers, self-identified as “Medusa”, gained access to HCRG’s IT systems and secured quantities of sensitive personal data. The information was confidential to HCRG and included data relating to its employees, clients and other third parties. On 12 February 2025, the attackers contacted HCRG to confirm the data theft, declaring that HCRG was the victim of a ransomware attack. The hackers disclosed samples of the stolen data as proof, demanded a ransom payment and threatened to publish the data.. They provided a means of communication via an online web portal chat box for further contact.
Because the wrongdoers could not be identified by name, the claim was brought against “persons unknown”, defined in the proceedings by reference to their role in the cyber -attack (namely, the persons responsible for obtaining HCRG’s data in the breach between January and February 2025 and those threatening to disclose that data). The case was framed as a breach of confidence claim to restrain the misuse and disclosure of the stolen confidential information. HCRG sought urgent injunctive relief to prevent the attackers from exposing the sensitive data (much of which related to health and care service users) and to stop the extortion attempt.
Procedural History
Without notice injunction (February 2025):
In response to the ransom threat, HCRG promptly issued proceedings and applied for an interim injunction against the unknown defendants. On 28 February 2025, at a without notice hearing, Soole J granted an interim injunction restraining the Persons Unknown from using, publishing or disclosing the stolen information. Given indications that the perpetrators were operating from outside England and Wales, Soole J also granted permission for service of the proceedings out of the jurisdiction. The injunction was granted on an interim basis (pending a return date hearing) and was coupled with ancillary orders typical in data breach injunctions, including provisions allowing the claimant to continue the injunction against anyone with notice of it and authorising alternative service.
Service on the defendants:
Serving court documents on anonymous overseas cybercriminals posed practical challenges. Pursuant to the court’s order, the claimant effected alternative service of the injunction order and claim form by electronic means. In particular, HCRG’s agents sent the defendants a message via the hackers’ own web portal chat interface, which included a link to a secure file-sharing site containing the legal documents. This method successfully delivered notice of the proceedings to the defendants using the contact facility they had themselves provided. However, after receiving the court order, the defendants disabled the chat portal, apparently as a tactic to evade further communication or service of additional documents. In light of this, HCRG resorted to serving subsequent documents (including the Particulars of Claim) by email, and applied for an order validating these modes of service. The claimant also engaged with two third-party websites (one based in Italy, one in the USA) that had posted screenshots of some stolen data; after being put on notice of Soole J’s injunction, both websites removed the material.
Return date hearing (April 2025):
The interim injunction was returnable in the King’s Bench Division on 2 April 2025. The return hearing came before Deputy High Court Judge Susie Alegre. Given the highly sensitive nature of the information and the risk of aggravating the harm through open court discussion, HCRG requested that the return date application be considered either on the papers (without a hearing) or, if a hearing was necessary, in private.
The general rule is that hearings are public and departures from open justice are permitted only in exceptional circumstances where strictly necessary. Judge Alegre was satisfied that this case met that high threshold: the combination of confidential health related data and an ongoing threat justified a temporary curtailment of open justice.
She therefore exercised her discretion to determine the return date application on the papers, without a public hearing. The defendants did not attend or make any representations (indeed, their identity and location remained unknown), but the Court was satisfied that they had been given proper notice of the proceedings and the return date. In particular, Judge Alegre said that HCRG had taken all practicable steps to notify the defendants, especially in light of the defendants’ own “blocking tactics” aimed at preventing service.
Legal Issues and Analysis
Freedom of Expression, Blackmail and Article 10
A central issue was whether the usual protections for freedom of expression were engaged, given that the relief sought would restrain the publication of information obtained by the defendants. Section 12 of the Human Rights Act 1998 (applicable to interim injunctions impacting free speech) sets a higher threshold for relief in such cases. In particular, section 12(3) provides that “no such relief is to be granted so as to restrain publication before trial unless the court is satisfied that the applicant is likely to establish that publication should not be allowed”.
In a typical case involving a media defendant, this would require the claimant to demonstrate a likelihood of success at trial in obtaining a permanent injunction (a higher bar than the usual serious issue to be tried test). However, Judge Alegre held that section 12(3) was not engaged on the facts of this case. The defendants’ conduct, which involved stealing data and threatening to publish it online unless paid, amounted to a serious criminal offence (contrary to section 21(1) of the Theft Act 1968) and a misuse of any supposed free expression rights. In the court’s view, the proposed publication of the data was not legitimate expression in pursuit of the public interest or open debate. Accordingly, the usual statutory safeguard for freedom of expression did not apply to shield the defendants’ activities.
Judge Alegre went on to consider the position under Article 10 of the European Convention on Human Rights (ECHR), While Article 10(1) confers a right to “receive and impart information”, that right is qualified by Article 10(2), which permits restrictions necessary “for preventing the disclosure of information received in confidence” and for the prevention of crime, among other legitimate aims. Both of those exceptions were directly relevant here.
Given that context, the Court concluded that no Article 10 rights were engaged in this case. Publishing confidential personal data is not a lawful exercise of free speech but an abuse of it. This removed the higher hurdle that a claimant would normally face under section 12(3) HRA in obtaining a media injunction. The judge also stated that the procedural requirement in section 12(2) (to notify the respondent of the injunction application, absent exceptional circumstances) had been satisfied by HCRG, who did everything practicable to bring the proceedings to the defendants’ attention.
Interim Injunction Criteria (American Cyanamid)
The court proceeded to apply the standard test for interim injunctions as laid down in American Cyanamid Co v Ethicon Ltd [1975] AC 396. Under this test, the court does not determine the merits conclusively but considers: (1) is there a serious issue to be tried; (2) would damages be an adequate remedy for either side if the injunction is or is not granted; and (3) where does the balance of convenience lie, including any special factors. The judge found that all limbs of this test were satisfied on HCRG’s facts. First, there was plainly a serious issue to be tried on the merits: the claimant had a strong prima facie case in breach of confidence given the unlawful theft and threatened dissemination of confidential data. Second, damages would not be an adequate remedy if an injunction were refused, given that monetary compensation could not adequately redress the potential harm from exposure of sensitive medical and personal information. By contrast, restraining publication pending trial caused no legitimate hardship to the defendants (who have no right to exploit stolen information) and in any event the claimant had given the usual cross-undertaking in damages to compensate the defendants should it later transpire that the injunction was wrongly granted. Third, the balance of convenience was overwhelmingly in favour of continuing to restrain any dissemination of the data. The risk of irremediable damage to privacy and confidentiality if the data were leaked far outweighed any prejudice to the wrongdoers. Indeed, preventing crime and protecting sensitive personal data are strong factors tipping the balance towards an injunction. In these circumstances, maintaining the injunction was plainly the just and convenient course.
In summary, having weighed the Cyanamid factors, the court was satisfied that the interim injunction should be sustained. There was a serious issue to be tried, no adequate alternative remedy for the claimant, and the equities favoured preserving confidentiality through an injunction..
Service and Jurisdiction over Anonymous Defendants
Another aspect of the case was the court’s approach to service and jurisdiction in pursuing relief against anonymous, overseas online defendants. The defendants here were not only unidentified individuals but also appeared to be outside England and Wales. This raised two procedural challenges: (1) establishing the court’s jurisdiction over persons unknown located abroad, and (2) effecting service of the court documents on those persons by unconventional means.
Jurisdiction:
At the without notice stage, HCRG obtained permission from Soole J to serve the claim form out of the jurisdiction. Implicit in that order was a finding that there was a jurisdictional gateway and a serious issue to be tried against the foreign defendants, and that England was the appropriate forum. In a cyber-attack context, the English court can take jurisdiction on the basis that the damage from misuse of confidential information will be sustained within England (where HCRG and the affected data subjects are based), and that the claim is principally to protect confidentiality and prevent illegal publication (matters squarely justiciable in England). Soole J’s order enabled the claimant to pursue the unknown defendants despite their likely foreign location.
Service:
Given the defendants’ anonymity and evasiveness, the court permitted alternative service by methods reasonably calculated to bring the proceedings to the defendants’ attention. As noted, the initial injunction and claim were served via the hackers’ own online portal (a method which, though unconventional, proved effective in notifying the defendants of the court’s orders). When the defendants shut down that channel, HCRG switched to service by email, and then sought retrospective validation of email service. At the return date, Judge Alegre considered the claimant’s efforts and was satisfied that service had been properly effected (or should be treated as such) on the persons unknown.
The court was content that all practical steps to notify the defendants had been taken, fulfilling the spirit of CPR Part 6 and HRA section 12(2). Accordingly, the service by alternative electronic means was validated by the court, ensuring the proceedings were properly constituted, and the court proceeded to exercise jurisdiction over the defendants in their absence.
The outcome of HCRG Care Ltd v Persons Unknown is that HCRG succeeded in obtaining a continued injunction to protect the confidentiality of the stolen information and to neutralise the ransom threat. The court’s reasoning was firmly grounded in established principles: the law of confidence and privacy, the American Cyanamid injunction test, and the limits of freedom of expression when faced with criminal conduct.
The courts will not permit procedural evasions or anonymity to shield wrongdoers from legal accountability, particularly in the context of serious data protection breaches or cyber extortion.
If you or your organisation are facing a data breach, online blackmail threat, or unauthorised disclosure of sensitive material, Carruthers Law can provide urgent legal assistance. We are experienced in obtaining injunctions, advising on misuse of private information claims, and protecting confidential and reputational interests. Get in touch today or call our London office on 0203 846 2862 or our Liverpool office on 0151 541 2040 for expert advice.