Barts Health NHS Trust has confirmed that the Russian-speaking Cl0p ransomware group stole files from one of its invoice databases after exploiting a vulnerability in Oracle E-Business Suite. The breach exposed data linked to payments for treatment and services, with some records going back several years.
Hackread.com first reported on the Cl0p activity in November twenty twenty five, noting the group had leaked 241 GB of NHS data on its hidden site shortly after claiming responsibility for a wider campaign against healthcare targets.
Cl0p Ransomware leaking NHS data (Image credit: Hackread.com)
Now, according to Barts’ press release, the stolen material includes names and addresses of patients who were billed for care, records of former staff with unresolved salary issues and payment details for suppliers. Most supplier information is already public. Clinical systems and patient records were not affected.
Files linked to accounting services provided to Barking Havering and Redbridge University Hospitals NHS Trust since April 2024 were also compromised. Barts advises patients to review any invoices they received to understand if their data was involved.
The breach occurred in August but went undetected until November, when the files surfaced on the Cl0p ransomware‘s dark web leak site. Oracle has since patched the exploited flaw. Barts has reported the incident to NHS England, the National Cyber Security Centre, the Metropolitan Police and data regulators. It is also see
Source: https://hackread.com/barts-health-nhs-cl0p-ransomware-data-breach/
Barts Health NHS Trust cybersecurity rating report: https://www.rankiteo.com/company/barts-health-nhs-trust
"id": "BAR1765043770",
"linkid": "barts-health-nhs-trust",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Patients billed '
'for care, former '
'staff with salary '
'issues, suppliers',
'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'Barts Health NHS Trust',
'size': None,
'type': 'Healthcare Provider'},
{'customers_affected': 'Accounting '
'services clients '
'since April 2024',
'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'Barking Havering and Redbridge '
'University Hospitals NHS Trust',
'size': None,
'type': 'Healthcare Provider'}],
'attack_vector': 'Exploitation of vulnerability in Oracle '
'E-Business Suite',
'customer_advisories': 'Patients advised to review invoices for '
'potential data exposure',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes (241 GB of data leaked '
'on dark web)',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally '
'identifiable '
'information, financial '
'data)',
'type_of_data_compromised': ['Patient billing '
'information '
'(names, addresses)',
'Former staff '
'salary records',
'Supplier payment '
'details']},
'date_detected': '2025-11',
'date_publicly_disclosed': '2025-11',
'description': 'Barts Health NHS Trust confirmed that the '
'Russian-speaking Cl0p ransomware group stole '
'files from one of its invoice databases after '
'exploiting a vulnerability in Oracle E-Business '
'Suite. The breach exposed data linked to '
'payments for treatment and services, with some '
'records going back several years. The stolen '
'material includes names and addresses of '
'patients who were billed for care, records of '
'former staff with unresolved salary issues, and '
'payment details for suppliers. Clinical systems '
'and patient records were not affected. Files '
'linked to accounting services provided to '
'Barking Havering and Redbridge University '
'Hospitals NHS Trust since April 2024 were also '
'compromised.',
'impact': {'brand_reputation_impact': 'Yes',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': '241 GB of NHS data leaked',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'Yes (patient and staff '
'personal data exposed)',
'legal_liabilities': 'Potential regulatory fines and '
'legal actions',
'operational_impact': 'Potential disruption to '
'billing and accounting '
'services',
'payment_information_risk': 'Yes (supplier payment '
'details exposed)',
'revenue_loss': None,
'systems_affected': 'Invoice database, accounting '
'services'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': 'Yes (241 GB '
'of data '
'leaked)',
'entry_point': 'Oracle E-Business '
'Suite vulnerability',
'high_value_targets': 'Invoice and '
'accounting '
'databases',
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (ransomware extortion)',
'post_incident_analysis': {'corrective_actions': 'Oracle '
'vulnerability '
'patched, '
'incident '
'reported to '
'authorities',
'root_causes': 'Exploitation of '
'unpatched Oracle '
'E-Business Suite '
'vulnerability'},
'ransomware': {'data_encryption': None,
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': 'Cl0p'},
'references': [{'date_accessed': '2025-11',
'source': 'Hackread.com',
'url': None},
{'date_accessed': '2025-11',
'source': 'Barts Health NHS Trust Press Release',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': ['UK Data '
'Protection '
'Act',
'GDPR'],
'regulatory_notifications': 'Yes (NHS '
'England, '
'National '
'Cyber '
'Security '
'Centre, '
'data '
'regulators)'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Press release advising '
'patients to review '
'invoices',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': 'Yes (Metropolitan '
'Police)',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Oracle vulnerability '
'patched',
'third_party_assistance': None},
'stakeholder_advisories': 'Reported to NHS England, National '
'Cyber Security Centre, Metropolitan '
'Police, and data regulators',
'threat_actor': 'Cl0p ransomware group',
'title': 'Cl0p Ransomware Attack on Barts Health NHS Trust',
'type': 'Ransomware',
'vulnerability_exploited': 'Oracle E-Business Suite '
'vulnerability (patched '
'post-incident)'}