**NHS Hit by Major Cyberattack: Clop Ransomware Gang Exploits Oracle Vulnerability, Exposes 168,000 Files**
Google Threat Research has uncovered a severe cybersecurity breach targeting the UK’s National Health Service (NHS), orchestrated by the Clop ransomware gang. The attack, linked to a vulnerability in Oracle software used by the NHS and UK Treasury, resulted in the exposure of over 168,000 files, which were later leaked on the dark web.
The breach compromised sensitive medical data, including records of high-profile individuals such as members of the British and Foreign Royal Families, Attorney Generals, and House of Lords officials. Particularly alarming was the exposure of personal health details, including cancer treatment records of Royal Household members, adding a layer of political and public sensitivity to the incident.
The vulnerability in Oracle’s software was first flagged by the UK’s National Cyber Security Centre (NCSC) in September 2023, with warnings about its potential for exploitation. Despite early alerts, the attack went undetected until the data was leaked, raising concerns about the security of critical infrastructure. The Clop gang, known for targeting healthcare organizations, exploited the flaw in a calculated move, with fears that other high-value targets, such as the UK Treasury, could be next.
Oracle has since issued a patch to address the vulnerability, and the UK Ministry of Defense confirmed that the flaw has been fixed. The NHS has stated it will not comply with ransom demands, adhering to UK law, which prohibits payments to cybercriminals. However, the full scope of the breach remains unclear, as authorities investigate whether all leaked files belong to NHS patients or include data from other affected systems.
The incident underscores the growing threat to public health infrastructure, which has become a prime target for ransomware groups. While the NHS has moved to contain the damage, the breach highlights the need for stronger security measures and proactive threat detection. The exposure of high-profile individuals’ data further amplifies concerns about the protection of sensitive information across government sectors.
Investigations are ongoing, with cybersecurity experts analyzing the Clop gang’s methods and assessing the long-term impact on public trust in the NHS and broader UK public services. The attack serves as a stark reminder of the risks posed by sophisticated cyber threats to critical digital infrastructure.
NHS cybersecurity rating report: https://www.rankiteo.com/company/nhs
"id": "NHS1765823332",
"linkid": "nhs",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'customers_affected': 'Patients, high-profile '
'individuals (e.g., Royal '
'Family, Attorney Generals, '
'House of Lords members)',
'industry': 'Public Health',
'location': 'United Kingdom',
'name': 'UK National Health Service (NHS)',
'size': 'Large',
'type': 'Healthcare'}],
'attack_vector': 'Exploitation of Oracle software vulnerability',
'data_breach': {'data_exfiltration': 'Yes (leaked on the dark web)',
'number_of_records_exposed': 'Over 168,000 files',
'personally_identifiable_information': 'Yes (addresses, '
'health details)',
'sensitivity_of_data': 'High (includes cancer treatment '
'records of Royal Household members)',
'type_of_data_compromised': ['Medical records',
'Personal information',
'Health information']},
'description': 'Google Threat Research uncovered a cybersecurity breach '
'linked to a vulnerability in Oracle software used by the UK’s '
'National Health Service (NHS). The Clop ransomware gang '
'exploited the vulnerability to infiltrate NHS systems and '
'leaked over 168,000 files on the dark web, including '
'sensitive medical data of high-profile individuals such as '
'members of the British and Foreign Royal Families, Attorney '
'Generals, and key figures in the House of Lords.',
'impact': {'brand_reputation_impact': 'Significant public concern and '
'criticism of NHS and Oracle',
'data_compromised': 'Over 168,000 files',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information)',
'legal_liabilities': 'Potential regulatory fines and legal actions',
'operational_impact': 'Disruption to healthcare services, '
'potential endangerment of lives',
'systems_affected': 'NHS systems, potentially UK Treasury'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (leaked data)',
'entry_point': 'Oracle software vulnerability',
'high_value_targets': 'NHS, potentially UK '
'Treasury'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for stronger security protocols, proactive threat '
'detection, and enhanced cybersecurity measures in '
'critical public services like healthcare.',
'motivation': 'Financial gain, data exfiltration, reputational damage',
'post_incident_analysis': {'corrective_actions': 'Patch deployment, ongoing '
'investigations, enhanced '
'security protocols',
'root_causes': 'Exploitation of known Oracle '
'software vulnerability, delayed '
'detection, insufficient proactive '
'security measures'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_paid': 'No (UK law prohibits ransom payments)',
'ransomware_strain': 'Clop'},
'recommendations': 'Prioritize cybersecurity updates, enhance monitoring, and '
'remain vigilant against evolving cyber threats. '
'Strengthen defenses for high-value targets and sensitive '
'data.',
'references': [{'source': 'Google Threat Research'},
{'source': 'The Mail'},
{'source': 'National Cyber Security Centre (NCSC)'}],
'regulatory_compliance': {'regulations_violated': ['UK data protection laws '
'(potentially GDPR)']},
'response': {'communication_strategy': 'NHS confirmed data leak, assured no '
'further data would be leaked',
'containment_measures': 'Oracle issued a patch to address the '
'vulnerability',
'remediation_measures': 'Vulnerability patched, investigations '
'ongoing'},
'stakeholder_advisories': 'Ministry of Defense confirmed vulnerability '
'patching; NHS assured no further data leaks.',
'threat_actor': 'Clop ransomware gang',
'title': 'NHS Oracle Software Vulnerability Exploited by Clop Ransomware Gang',
'type': 'Data Breach, Ransomware',
'vulnerability_exploited': 'Oracle software vulnerability (identified in '
'September 2023 by NCSC)'}