HCRG Care Group first notifies patients of a February 2025 Medusa breach — 16 months on `[SINGLE-SOURCE]`

HCRG Care Group, described by the cited source as a major UK-based healthcare services provider, has begun notifying patients in June 2026 of a Medusa ransomware attack that occurred in February 2025 — more than 16 months after the incident (HIPAA Pulse, 2026-06-18). The Medusa gang publicly claimed the attack and asserted data theft at the time, and analysis of the stolen dataset circulated well before formal notifications, meaning affected individuals could have learned of their exposure from media coverage rather than from the provider. UK-GDPR sets two distinct clocks — supervisor notification within 72 hours under Article 33 and notification to affected individuals "without undue delay" under Article 34 — and a 16-month gap to individual notification is precisely the kind of timeline the latter is meant to prevent. [SINGLE-SOURCE] — see § 7.