Transform Hospital Group Data Breach


In December 2020, UK cosmetic surgery provider Transform Hospital Group experienced a cyberattack. After successfully carrying out this ransomware attack, the hackers accessed Transform’s systems and stole a wealth of private and confidential patient information, including intimate pictures. This page explains how the Transform data breach happened. 

What happened in the Transform data breach?

In December 2020, UK cosmetic surgery provider Transform Hospital Group Ltd., also known as The Hospital Group, admitted that it had been hit by a ransomware data security attack. This incident resulted in the theft of extremely sensitive customer data.

In some cases, the criminals accessed intimate pictures of patients and threatened to leak these online. 

Transform provides cosmetic and weight loss surgery, including breast enhancement procedures. Many patients suffered understandable upset and distress following the breach. Not just because this sensitive information has been accessed by criminals, but also because of fears over what they might do with it.

Speaking to the BBC, one former patient who had chest reduction surgery with The Hospital Group said that he was “concerned as the last thing I want is ‘before photos’ being splattered around in the public domain. I’ve tried to keep my surgery private and not even some of my friends and colleagues know about it, so the data breach is concerning for me.”

The information stolen in the Transform data breach  included:

The hackers threatened to leak the photographs online

With several clinics in the UK, Transform sees thousands of patients every year. It claims to be the UK’s leading specialist weight loss and cosmetic surgery group and provides numerous procedures, including breast enhancement, nipple corrections, nose adjustments, liposuction, and tummy tucks.

The group has had many celebrity endorsements over the years, including from singer Kerry Katona, actress Tina Malone and reality TV star Joey Essex. But it experienced publicity of the wrong kind after hackers stole patient records from its systems, including highly confidential before and after photos.

On its darknet webpage, the hacker group behind the attack claimed to have stolen more than 900 gigabytes of patient photographs. It said it had looked at these images and that the “intimate photos of customers” were “not a completely pleasant sight”.

The ransomware group also threatened to post these photographs online. This caused significant distress for those affected by the breach.

Other information accessed by criminals in this attack included medical history, GP details, and operation information. Together, this stolen data made patients very vulnerable to online scams and fraud.

Transform Hospital Group data breach timeline.

  • 6 December 2020
    Screenshots provided by the cybercriminals indicate that data was stolen from Transform on or about this date.
  • 22 December 2020
    Transform admitted that it had suffered a data security incident.

Your questions answered

See our answers to the FAQs we get asked about the Transform Data Breach.

What did the Hospital Group say about the data breach?

Transform confirmed the ransomware attack and informed the Information Commissioner’s Office (ICO) of the breach (as it is legally obliged to do). In a statement, the company said:

“None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed”.

Who carried out the attack?

The attack was carried out by the infamous REvil ransomware group which has previously attempted to extort companies and public figures including Donald Trump, Lady Gaga and Madonna.

When did the attack take place?

The screenshots indicate that the data was stolen on or about 6 December 2020.