The NHS is investigating a cyberattack claimed by the extortion group **Clop**, which listed the NHS.uk domain on its leak site on **November 11** without publishing any stolen data. The attack reportedly exploits a vulnerability in **Oracle E-Business Suite (EBS)**, a system widely used across the NHS for managing sensitive patient data. While Clop did not specify which NHS branch was compromised, the potential exposure of patient records—given the NHS’s role as Europe’s largest employer and a critical healthcare provider—poses severe risks. The NHS, which refuses to pay ransoms, is collaborating with the **National Cyber Security Centre (NCSC)** to assess the breach. Historical attacks on the NHS have disrupted life-saving services, and this incident could similarly threaten patient safety if systems are compromised. The UK’s proposed ban on ransom payments for public sector organizations further complicates recovery efforts, leaving the NHS vulnerable to prolonged operational and reputational damage.
Source: https://www.theregister.com/2025/11/14/nhs_clop/
NHS England cybersecurity rating report: https://www.rankiteo.com/company/nhsengland
"id": "NHS3432334111425",
"linkid": "nhsengland",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'healthcare',
'location': 'United Kingdom',
'name': 'UK National Health Service (NHS)',
'size': 'large (largest employer in Europe)',
'type': 'public healthcare system'}],
'attack_vector': ['exploit of Oracle E-Business Suite (EBS) vulnerability'],
'data_breach': {'data_exfiltration': 'unconfirmed (Clop listed NHS on leak '
'site but no data published yet)',
'personally_identifiable_information': 'likely (NHS stores '
'vast quantities of '
'patient data)',
'sensitivity_of_data': 'high (potential patient data, '
'including personally identifiable '
'information)'},
'date_publicly_disclosed': '2023-11-11',
'description': "The UK's National Health Service (NHS) is investigating "
'claims of a cyberattack by the extortion crew Clop. The gang, '
'known for targeting organizations using an Oracle E-Business '
'Suite (EBS) exploit, listed the NHS on its leak site on '
'November 11, 2023, but has not yet published any stolen data. '
'The NHS has neither confirmed nor denied the intrusion, and '
'its cybersecurity team is collaborating with the National '
'Cyber Security Centre (NCSC) to investigate. Clop did not '
'specify which branch of the NHS was compromised, and the NHS '
'does not pay ransoms, making extortion unlikely to succeed. '
"The attack highlights the NHS's vulnerability as a high-value "
'target due to its vast sensitive patient data and critical '
'life-saving systems.',
'impact': {'brand_reputation_impact': 'potential reputational harm due to '
'public disclosure of attack claims',
'identity_theft_risk': 'high (if patient data was accessed, given '
'NHS stores vast quantities of sensitive '
'data)'},
'initial_access_broker': {'entry_point': 'potential Oracle E-Business Suite '
'(EBS) exploit',
'high_value_targets': 'patient data, critical '
'healthcare systems'},
'investigation_status': 'ongoing (NHS cybersecurity team and NCSC '
'investigating)',
'motivation': ['financial extortion', 'data theft'],
'ransomware': {'data_exfiltration': 'unconfirmed',
'ransom_paid': 'no (NHS policy is to not pay ransoms)'},
'references': [{'source': 'The Register'}],
'response': {'communication_strategy': 'public statement issued (neither '
'confirmed nor denied intrusion)',
'incident_response_plan_activated': 'yes (NHS cybersecurity team '
'involved)',
'third_party_assistance': 'yes (National Cyber Security Centre - '
'NCSC)'},
'threat_actor': 'Clop (extortion crew)',
'title': "Potential Cyberattack on UK's National Health Service (NHS) by Clop "
'Extortion Crew',
'type': ['potential data breach', 'extortion attempt'],
'vulnerability_exploited': 'Oracle E-Business Suite (EBS) exploit '
'(unspecified)'}