Barts Health NHS Trust has confirmed a significant data breach attributable to the Cl0p ransomware group, which exploited a vulnerability within Oracle E-Business Suite to access files from one of its invoice databases. This breach has led to the exposure of sensitive information related to payments for medical treatment and services, with some records dating back several years.
The incident came to light after Hackread.com reported in November 2025 that Cl0p had leaked approximately 241 GB of NHS data on a hidden site, shortly after claiming responsibility for a broader campaign targeting healthcare organizations.
According to a recent press statement from Barts Health, the breached data includes the names and addresses of patients billed for care, unresolved salary records of former staff, and payment details for suppliers, although much of the supplier data is publicly available. Fortunately, clinical systems and patient medical records were not compromised.
The breach extends to files linked to accounting services provided to Barking Havering and Redbridge University Hospitals NHS Trust since April 2024. In light of the breach, Barts Health has advised patients to thoroughly review any invoices received to determine if their personal information has been involved.
The vulnerability was exploited in August but was not detected until November when the stolen files appeared on the Cl0p ransomware group’s dark web leak site. Oracle has since patched the vulnerability, and Barts Health has reported the breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and relevant data protection regulators. The trust is also pursuing a High Court order to prevent further dissemination of the stolen data.
NHS and ransomware attacks
This incident further underscores a concerning trend of ransomware attacks targeting the UK’s National Health Service (NHS). In recent months, the Qilin ransomware group has reportedly leaked patient records after breaching an NHS supplier, which subsequently disrupted emergency care in London. Hackread also noted that one such incident was connected to the death of a patient due to treatment delays caused by the attack.
Additionally, NHS entities in Scotland have faced similar threats, with the INC group claiming to have compromised several terabytes of patient files, which they later distributed on hidden forums while issuing threats to UK health services.
Such breaches exhibit common characteristics where cybercriminals exploit vulnerabilities in widely utilized enterprise systems. Once they gain access, attackers often pursue administrative data that can be sold or leveraged for extortion. Even when clinical systems remain intact, the repercussions of these breaches can strain staff, who must rebuild trust and manage the potential fallout from fraud.
While the data stolen in the Barts Health incident pertains primarily to invoices rather than clinical records, it still poses risks for social engineering. Cybercriminals may exploit basic personal information to facilitate payment fraud. In response, Barts Health is directing individuals to appropriate resources for fraud prevention and encouraging those with concerns to reach out to its data protection officer.
