Barts Health NHS Confirms Cl0p Ransomware Behind Data Breach

Barts Health NHS Trust has confirmed that the Russian-speaking Cl0p ransomware group stole files from one of its invoice databases after exploiting a vulnerability in Oracle E-Business Suite. The breach exposed data linked to payments for treatment and services, with some records going back several years.

Hackread.com first reported on the Cl0p activity in November twenty twenty five, noting the group had leaked 241 GB of NHS data on its hidden site shortly after claiming responsibility for a wider campaign against healthcare targets.

Cl0p Ransomware leaking NHS data (Image credit: Hackread.com)

Now, according to Barts’ press release, the stolen material includes names and addresses of patients who were billed for care, records of former staff with unresolved salary issues and payment details for suppliers. Most supplier information is already public. Clinical systems and patient records were not affected.

Files linked to accounting services provided to Barking Havering and Redbridge University Hospitals NHS Trust since April 2024 were also compromised. Barts advises patients to review any invoices they received to understand if their data was involved.

The breach occurred in August but went undetected until November, when the files surfaced on the Cl0p ransomware‘s dark web leak site. Oracle has since patched the exploited flaw. Barts has reported the incident to NHS England, the National Cyber Security Centre, the Metropolitan Police and data regulators. It is also seeking a High Court order to block the circulation of the stolen data.

NHS UK data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)

****NHS and ransomware attacks****

The Barts incident adds to a growing list of ransomware activity aimed at UK health services. In recent months, Qilin ransomware has released patient records on private channels after hitting an NHS supplier, which affected emergency care in London. Hackread reported that one of those incidents has been linked by staff to the death of a patient after a disruption caused delays in treatment.

More attacks have targeted NHS bodies in Scotland. The INC group claimed to have taken several terabytes of patient files and later released the material on hidden forums while also publishing threats against UK health services.

These cases share common traits. Attackers look for security vulnerabilities in widely used enterprise systems. Once inside, they move toward administrative data that can be sold or used for pressure campaigns. Even when clinical systems stay intact, the fallout strains staff who have to rebuild trust and manage fraud risks for those affected.

Although the Barts theft involves invoice data rather than clinical records, it still creates opportunities for social engineering. Cyber criminals often use basic personal details to support payment fraud. Barts is directing people to Stop Think Fraud for advice and is urging anyone with questions to contact its data protection officer.