A U.S.-based independent cybersecurity journalist has refused to comply with a court-ordered injunction issued by a U.K. court, which was obtained by U.K. private healthcare giant HCRG following the journalist’s reporting on a recent cyberattack.

The law firm Pinsent Masons, acting on behalf of HCRG, served a court order on February 28, demanding that DataBreaches.net remove two articles related to the ransomware attack on HCRG. The law firm’s notice, which TechCrunch has seen, stated that the injunction aims to prevent the publication or disclosure of confidential data stolen during the cyberattack.

The notice from Pinsent Masons warned DataBreaches.net that failure to comply with the injunction may result in contempt of court, potentially leading to imprisonment, fines, or asset seizure. However, DataBreaches.net, operated by journalist Dissent Doe, declined to remove the posts and instead published details of the injunction in a blog post on Wednesday.

Citing a letter from their law firm Covington & Burling, Dissent argued that DataBreaches.net is not subject to the jurisdiction of the U.K. injunction and that the reporting is protected under the First Amendment in the United States, where the site is based. Additionally, Dissent noted that the court order does not specifically mention DataBreaches.net or the articles in question.

This incident highlights the challenges faced by cybersecurity journalists, who often encounter legal threats and demands when reporting on sensitive information that companies would rather keep private. However, it is rare for journalists to publish the details of such injunctions due to concerns about potential legal repercussions.

The details of the injunction offer a unique insight into the use of U.K. law to issue legal demands for the removal of published stories that are critical or embarrassing to companies. The law firm’s letter also confirms that HCRG was indeed hit by a ransomware cyberattack.

HCRG, formerly known as Virgin Care, is one of the largest independent healthcare providers in the U.K., with over 5,000 employees and covering around 500,000 patients across the country. On February 20, the company confirmed that it was investigating a cybersecurity incident after the Medusa ransomware gang claimed responsibility for the breach, stating that it had stolen 2 terabytes of data from HCRG’s systems.

When contacted by TechCrunch, HCRG spokesperson Alison Klabacher stated that the company had taken legal action to prevent the republication of any data accessed by the criminal group, aiming to minimize potential risks to those affected. HCRG is investigating the incident with external specialists and will notify affected individuals as necessary.

A spokesperson for Pinsent Masons did not provide comment by the time of publication. According to the legal demand, Pinsent Masons cited two posts on DataBreaches.net, which reported on the Medusa ransomware gang’s claims and threats to publish personally identifiable information and sensitive health data if HCRG did not pay a ransom.

The posts on DataBreaches.net contain similar information to that reported by TechCrunch and other outlets. Dissent noted that Pinsent Masons sent the injunction to DataBreaches.net’s domain registrar, which initially warned that the site’s domain would be suspended if the posts were not removed. However, the domain registrar later reversed its decision and declined to suspend DataBreaches.net.

HCRG has not yet publicly disclosed the breach on its website. Dissent stated in their blog post that, in the absence of updates from HCRG, much of the information about the cyberattack has been covered by independent journalists, including cybersecurity blog SuspectFile, which has reported new details about the HCRG cyberattack.

Dissent argued that the court’s injunction could prevent the public from understanding the severity of the breach and its potential impact on those affected. Furthermore, it could set a precedent for widespread censorship of journalists in the U.K. or elsewhere, potentially allowing companies to silence reporters by demanding the removal of past or future reporting on data stolen from U.K. entities.

“Journalists with any connection to the U.K. might be emailed injunctions demanding they remove past reporting on data stolen from U.K. entities, or they could be prohibited from any future reporting on any data stolen from a U.K. entity,” Dissent said.