HCRG Care Group

HCRG Care Group

Formerly	Assura Medical Virgin Care
Company type	Subsidiary
Industry	Health care, social care
Founded	2007 (as Assura Medical)
Headquarters	United Kingdom
Owner	Twenty20 Capital
Website	www.hcrgcaregroup.com

HCRG Care Group is a private provider of community health and social services in parts of the UK, commissioned by the National Health Service and by local authorities in England.

Founded in 2007 as Assura Medical, the company became majority-owned by the Virgin Group in 2010 and was known as Virgin Care. In December 2021, it was acquired by Twenty20 Capital and rebranded under its current name.

History

Logo as Virgin Care

The company originated in around 2007 as the Assura Medical division of property company Assura Group. A majority share was purchased by Virgin Group in 2010, and by 2012 it was a separate company under the Virgin Care brand. ^[1]

Until October 2012, each GP provider company was 50% owned by the surgery GPs and 50% by Virgin, and these companies were run by a board consisting of locally elected GPs and one Virgin representative. 358 surgeries were listed ^{[ where? ]} as being involved in mid-2012.

In October 2012 the company announced that it would be taking over all jointly owned GP-provider companies, in order to avoid any conflict of interest arising in respect of contracts with clinical commissioning groups. ^[2] Following this change, the company made bids for contracts put out by these clinical commissioning groups, NHS England and local authorities, and has contracts stretching for more than a decade with a total potential value (as of 2018 ^[update] ) of £2bn. ^[3]

In December 2021, the company was acquired for an undisclosed sum by Twenty20 Capital, ^[4] a privately-owned investor in companies that provide workforce management and recruitment services. ^[5] It was immediately rebranded as HCRG Care Group. ^[6]

Ransomware

HCRG was the target of a cyberattack in February 2025 from the Medusa ransomware group. Medusa claimed to have encrypted over 50tb of data, with over 2tb of data of it being uploaded, including sensitive medical records, financial records, and identities. The group demanded $2m ransom to not release the data. ^{[7] [8] [9] [10]}

In March, HCRG attempted to use a UK court-ordered injunction to compel a cybersecurity breach reporting website, databreaches.net, to remove references the breach of HCRG Care Group's systems. The injunction was issued by High Court judge Michael Soole, based on the request by HCRG's attornies at Pinsent Masons. The US-based maintainer of the website refused to comply due to the injunction's inapplicable jurisdiction, and published details of the injunction online, noting the chilling effects of suppressing speech. Their domain registrar also declined to comply. ^{[8] [11] [12] [13]}

Profit

The company said in 2018 that it had never made a profit overall from its NHS services, ^[14] and that it had invested its own money into the business, although accounts show that individual parts of the group with NHS contracts have made profits. ^[15]

Sir Richard Branson wrote in January 2018: ^[14]

Over the last 50 years, I have been fortunate to build many successful companies and do not want or intend to profit personally from the NHS. Indeed, I have invested millions in Virgin Care to help it transform its services for the better and to improve both the patient and employee experience.Contrary to reports, the Virgin Care group has not made a profit to date. If and when I could take a dividend from Virgin Care (which would make us a profit over and above our overall investment), I will invest 100% of that money back into helping NHS patients young and old, with our frontline employees deciding how best to spend it.

In December 2021, the company's press release said: "Neither Virgin, nor its founder, has ever taken a penny from the business, committing instead to reinvest any returns back into the company and its frontline services." ^[16]

Former contracts

Lyme Regis Medical Practice

In 2012, Virgin Care won a contract to provide services in Dorset, at the Lyme Regis Centre, for five years. ^[17] When the service was inspected by the regulator in August 2015, the Minor Injuries unit was found 'not safe' by the Care Quality Commission because "patients were at risk of harm because systems and processes were not in place to keep them safe". Inspectors returned in February 2016 and found improvements, and again in August 2016 when a desk-based inspection based on information the company provided was deemed sufficient to rate the practice 'good' in all areas. The service was rated 'good' again by the CQC in October 2018, but inspectors said it needed to do more and rated it 'requires improvement' for services for people with long term conditions. ^[18] This contract ended in 2019 after a short extension, when the NHS merged it with another local GP practice. ^[19]

Croydon urgent care centre

Virgin Care ran the urgent care centre at Croydon University Hospital under a £6 million contract for three years from April 2012. ^[20]

East Staffordshire

The company won a seven-year contract worth £270 million for providing long-term and elderly care for about 38,000 people with long-term health conditions in East Staffordshire in March 2015, known as the "Improving Lives" programme. ^[21] A report by the Care Quality Commission published in October 2019 rated the service 'good'. ^[22] Virgin Care terminated its role as prime provider in October 2018 after an 18-month-long dispute ^[23] and went on to terminate the remaining part of the contract in May 2019. ^[24]

Current contracts

Surrey

Virgin Care won a contract to provide community health services in Surrey from 2012 until 2017. ^[25] This includes the Jarvis Breast Centre in Guildford, which in October 2014 was subject to an investigation by North West Surrey Clinical Commissioning Group after 35 patients were not tested within two weeks of their GP referrals during April and July. ^[26] In 2017, Surrey's CCGs split the contract again and procured elements of it separately, with Virgin Care awarded some adult community services in the Surrey Heath CCG and North East Hampshire and Farnham CCG areas, as well as continuing to operate community dental services and wheelchair services. ^[27]

In September 2019, the company was awarded an £85m contract to run a joint project with Frimley Health NHS Foundation Trust. ^{[28] [29] [30]}

Bath and North East Somerset

The company won a seven-year £700m prime provider contract to run health services in Bath and North East Somerset in 2016. ^{[31] [32]} This included running adult social work services, something that had not been done by a commercial organisation in the UK before. Forty-three social workers were transferred to the company. ^[33] The service experienced significant IT issues during its first three months of operation which resulted in the cancellation of patient appointments, correspondence not being sent out and problems with updating patient records. ^[34]

In 2021, as a result of this contract, the company's Managing Director was noted to have been given a seat on the BSW Partnership Board. ^[35]

In that year, the services provided were reported to include two community hospitals, outpatients' clinics, and school nursing and immunisation services. ^[36] The organisation's contract was extended to 2027, taking it to the full 10-year term, at a slightly reduced £54.5m as a result of two services being brought back in-house. Councillor Rob Appleyard told a scrutiny panel meeting that awarding the contract was "not universally accepted" and there was "continual distrust", but "Covid was the making of the relationship with Virgin Care". ^[37]

West Lancashire

In 2016, the company won a five-year contract from West Lancashire CCG to provide adult community health services and urgent care services across the area. Commissioners said that the contract would lead to more "joined up" care. ^[38] In May 2021, the service was rated good by the CQC in its first inspection. ^[39]

Kent

Community services in part of Kent, previously provided by Kent Community Health NHS Foundation Trust, were transferred to Virgin Care by Swale CCG and Dartford, Gravesham and Swanley CCG in January 2016 in a contract worth £18 million a year for the seven years from April 2016, with an option to extend by a further three years. ^[40]

Legal cases

• In October 2012, a mother of two children mounted a challenge in the High Court against Devon County Council's decision to award health and social care contracts to Virgin Care. ^[41] The court allowed Virgin Care to keep the contract. ^[42]

• In early 2017, Virgin Care began legal proceedings against NHS England, Surrey County Council and the county's six clinical commissioning groups, claiming there were defects in the procurement process which led to another provider winning an £82 million three-year children's community services contract. ^[43] The lawsuit was settled out of court with a £328,000 payment to Virgin Care, resulting in some controversy. This included a petition signed by over 100,000 people addressed to Richard Branson and Virgin Care, demanding that they "return the NHS’s money, and never sue the NHS again", as well as criticism in Parliament from Shadow Health Secretary Jonathon Ashworth, who claimed that the NHS is already "underfunded" without having to make payments to private health companies. ^[44] Virgin Care stated that the money would be invested in services, rather than paid out to Virgin Group or Richard Branson. ^[45]

• Lancashire County Council (LCC) planned to award Virgin Care a five-year £104m contract in 2017 to provide public health services for children aged 0 to 19. Two Lancashire-area NHS Trusts, ^[a] who were the incumbent service providers, had jointly bid for the contract. They contested the decision to award a contract to Virgin Care on the grounds that the Council had not properly followed the procurement process. The High Court upheld the Trusts' concern and concluded that the procurement decision should be set aside. ^[46] In 2018, after LCC had re-evaluated the bids, in a process overseen by an independent panel of experts, it again chose Virgin Care. The decision was criticised by UNISON on the grounds that it would destabilise the NHS in Lancashire, that the gap between the two bids was only 0.07%, and that the council was helping to privatise the delivery of key NHS services. ^[47]

See also

• Private healthcare in the United Kingdom

Notes

1. Lancashire Care NHS Foundation Trust and Blackpool Teaching Hospitals NHS Foundation Trust

References

1. "Our history". Virgin Care. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
2. "Virgin Care Ltd". NHS For Sale. Archived from the original on 2 November 2018. Retrieved 14 November 2018.
3. Osborne, Hilary (5 August 2018). "Virgin awarded almost £2bn of NHS contracts in the past five years". The Guardian. ISSN   0261-3077. Archived from the original on 20 August 2021. Retrieved 27 August 2019.
4. Simons, Graham (3 December 2021). "Twenty20 Capital buys Virgin Care". Health & Protection. Retrieved 6 December 2021.
5. "Portfolio". Twenty20 Capital. Retrieved 6 December 2021.
6. "Introducing HCRG Care Group". Virgin. Retrieved 6 December 2021.
7. Carly Page (20 February 2025). "UK healthcare giant HCRG confirms hack after ransomware gang claims theft of sensitive data".
8. "Medusa ransomware gang demands $2M from UK private health services provider". 20 February 2025. Retrieved 21 March 2025.
9. Marco A. De Felice (23 February 2025). "Exclusive: The Impact of the HCRG Care Group Data Breach on Patients and Employees". SuspectFile. Retrieved 31 March 2025.
10. Marco A. De Felice (26 February 2025). "Exclusive: Medusa Unveils 50TB of Stolen Data from HCRG's Network, Gaining Full Control – HCRG Labeled Liars by the Ransomware Group". SuspectFile. Retrieved 31 March 2025.
11. "Hacked health firm HCRG demanded journalist 'take down' data breach reporting, citing UK court order". 6 March 2025. Retrieved 21 March 2025.
12. Jessica Lyons (13 March 2025). "Medusa ransomware infects 300+, uses 'triple extortion'". theregister.com. Retrieved 31 March 2025. When DataBreaches.net reported those details, it said it was hit with a London High Court injunction brought by HCRG, which the website ultimately ignored because the dot-net's US-based operators are outside the jurisdiction of the High Court of England and Wales. The lawyers said the injunction compels publishers to not assist in the dissemination, direct or otherwise, of "some or all of the confidential information stolen during the cyber-attack," and demanded two articles about the Medusa infection be taken down. DataBreaches.net had in those two stories linked to a separate blog that had obtained and published redacted samples of the stolen healthcare data.
13. Dissent (5 March 2025). "HCRG Care's lawyers claimed an injunction issued in a "private" hearing required us to remove two posts. We didn't comply. – DataBreaches.Net". databreaches.net. Retrieved 31 March 2025. Honorable Mr. Justice Soole
14. "Virgin Care and supporting a free, efficient NHS". Virgin. 12 January 2018. Archived from the original on 5 August 2020. Retrieved 27 August 2019.
15. Gallagher, Paul (8 January 2018). "Virgin Care Services: no corporation tax paid as profits from NHS contracts rise to £8m on £200m turnover". inews.co.uk. Archived from the original on 27 August 2019. Retrieved 27 August 2019.
16. "Virgin Care taken over by private equity firm". Health Service Journal. 6 December 2021. Retrieved 22 January 2022.
17. "Virgin Care wins medical centre contract". Health Service Journal. 26 September 2012. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
18. "Lyme Regis Medical Centre". www.cqc.org.uk. Archived from the original on 29 September 2019. Retrieved 29 September 2019.
19. "The care provider contract for this medical centre is set to end in January". Dorset Echo. Archived from the original on 29 September 2019. Retrieved 29 September 2019.
20. "Watchdog demands urgent meeting with Virgin over Mayday". insidecroydon.com. 21 November 2013. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
21. "Improving Lives - NHS East Staffordshire Clinical Commissioning Group". eaststaffsccg.nhs.uk. Archived from the original on 16 April 2021. Retrieved 12 January 2021.
22. "Anglesey House". www.cqc.org.uk. Archived from the original on 29 November 2020. Retrieved 12 January 2021.
23. Rebecca Thomas (31 March 2015). "Virgin Care terminates £270m prime provider role". Health Service Journal. Archived from the original on 14 November 2018. Retrieved 14 November 2018.
24. "Virgin Care ends Staffordshire health contract over cost". BBC News. 1 May 2019. Retrieved 12 January 2021.
25. "Virgin Care". North West Surrey Clinical Commissioning Group. Archived from the original on 7 September 2014.
26. Sophie Barnes (27 October 2014). "Virgin clinic probed over 'large number' of waiting time breaches". Health Service Journal. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
27. Moore, Alison (1 March 2018). "Virgin agrees contract extension in Surrey". Health Service Journal. Archived from the original on 30 July 2020. Retrieved 29 September 2019.
28. Clover, Ben (20 September 2019). "Virgin Care and NHS partner win £85m contract". Health Service Journal. Archived from the original on 1 December 2020. Retrieved 29 September 2019.
29. "Virgin Care wins £85m joint community services project with NHS Trust". Laing Buisson. 23 September 2019. Archived from the original on 20 April 2021. Retrieved 1 June 2020.
30. "New Adult Community Service contract goes live in Surrey". Virgin Care. Retrieved 1 June 2020.
31. Amanda Cameron (10 November 2016). "Virgin Care wins £700m contract to run health services in Bath and North East Somerset". Bath Chronicle. Archived from the original on 14 November 2018. Retrieved 14 November 2018.
32. Ashley Cowburn (11 November 2016). "Controversial 'Virgin Care' contract approved". The Independent . Archived from the original on 14 November 2018. Retrieved 14 November 2018.
33. Alex Turner (26 April 2017). "Social workers transferred to Virgin Care under landmark deal". Community Care. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
34. Amanda Cameron; Tristan Cork (6 October 2017). "Virgin Care 'asked staff not to report safety concerns' to health watchdog". Bristol Post. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
35. "Partnership Board Agenda" (PDF). Bath and North East Somerset, Swindon and Wiltshire Partnership. 28 May 2021. p. 2. Archived from the original (PDF) on 2 June 2021 – via Internet Archive.
36. "Health chiefs set to consider renewing £54m a year Virgin Care contract". Bath Echo. 9 November 2021. Archived from the original on 11 November 2021. Retrieved 10 November 2021.
37. Sumner, Stephen (11 November 2021). "Virgin Care secures three-year extension for health services in BANES costing £54m a year". SomersetLive. Archived from the original on 12 November 2021 – via Internet Archive.
38. "National Health Executive". 23 November 2016. Archived from the original on 24 July 2021. Retrieved 24 July 2021.
39. "Bickerstaffe House". www.cqc.org.uk. Archived from the original on 25 July 2021. Retrieved 24 July 2021.
40. John Nurden (13 January 2016). "Virgin Care takes over Sheppey and Sittingbourne hospitals". Kent on line. Archived from the original on 14 November 2018. Retrieved 14 November 2018.
41. Diane Taylor (7 October 2012). "Mother challenges Virgin Care takeover of mental health service". The Guardian . London. Archived from the original on 25 October 2018. Retrieved 14 November 2018.
42. "Judge says Virgin Care award did not comply with law but refuses to halt process". Public Law Today. 19 October 2012. Archived from the original on 8 January 2018. Retrieved 7 January 2018.
43. Chris Morris (14 March 2017). "Virgin Care to Sue NHS Over Children's Community Services Contract". Healthcare Times. Derby. Archived from the original on 13 November 2018. Retrieved 14 November 2018.
44. Isabel Dobinson (8 December 2017). "'The NHS is under severe financial pressure, it cannot afford to lose this money': Nearly 50,000 people urge Virgin Care to return £328,000 Surrey contract dispute payout". getSurrey. Surrey. Archived from the original on 6 November 2019. Retrieved 14 November 2018.
45. "Why it's wrong to say we sued the NHS because we lost a contract in Surrey". Virgin Care. 1 June 2019. Archived from the original on 11 April 2021 – via Internet Archive.
46. Daly, A., Have the lessons from Lancashire Care NHS FT & Blackpool Teaching Hospitals NHS FT v Lancashire County Council been learnt?, Hempsons LLP, published 22 May 2019, accessed 31 July 2023
47. "Council strips contract from NHS trusts and hands it to Virgin after High Court row". National Health Executive. 18 October 2018. Archived from the original on 7 June 2020. Retrieved 7 June 2020.

External links

• Official website