Transform Hospital Group Ltd., a U.K. provider of cosmetic and weight loss surgery, has been hit by ransomware, resulting in the theft of customer data including intimate pictures.

Exactly when the attack took place is not clear. Transform, best known in the U.K. for breast enhancement surgery, described it only as a data security breach. “None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed,” the company said in statement reported today by the BBC.

Who is behind the attack, however, is known: The infamous REvil ransomware group is claiming responsibility. The group said on their dark web page that it had obtained about 600 gigabytes of “the most important documents, personal data of customers, as well as intimate photos of these customers (this is not a completely pleasant sight:)),” and is threatening to post the first batch of files next week. DataBreaches.net shows a screenshot posted by REvil as proof that the data had been stolen with directories and folders that would align with a medical practice complete with one labeled “Clinic_Images.”

One detail missing from the story is whether the company’s systems were affected and how much REvil is demanding as a ransom payment not to release the data. A typical REvil attack starts with a ransomware attack, which is first noticed with systems going offline, followed by the group demanding a payment.

The REvil group is best known for its attack on foreign exchange provider Travelex in late December 2019. In that case, Travelex was reported to have paid a $2.3 million ransom for a decryption key to restore its network. The gang, also known as Sodinokibi, was linked to attack on data center provider Cyrus One Inc. and in May claimed responsibility for a ransomware attack on Grubman Shire Meiselas & Sacks, a high-profile entertainment law firm.

The attack on Grubman Shire Meiselas & Sacks has some parallels with the attack on The Hospital Group. Both involve celebrities and both involved the theft of large amounts of personal details.

If REvil has demanded a ransom in this case, there’s no guarantee that paying the ransom will result in the stolen data not being published. “As with other ransom situations, it is also impossible to know if paying the ransom will make your problem go away,” Jonathan Knudsen, senior security strategist at electronic design automation firm Synopsys Inc., told SiliconANGLE earlier this year. “Even if you regain access to your own information, your attacker might still have a copy of the information and be able to resell it to other interested parties.”

Image: The Hospital Group