Barts Health, the UK’s largest NHS trust, which runs five major hospitals across London, has confirmed that patient and staff data was stolen in ransomware gang Cl0p‘s mass-exploitation of Oracle’s EBS.
“We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone,” Barts Health said in an update on its website.
Cl0p posted several stolen files on the dark web, including names and addresses of people who were liable to pay for treatment or services at a Barts Health hospital over several years.
Several former employees are also listed because they left employment owing to the trust for salary sacrifice or overpayment.
“Almost half of the potentially compromised files list suppliers of goods or services whose details are in the public domain,” the company said.
The database also includes files relating to accounting services Barts Health provided since April 2024 to Barking, Havering, and Redbridge University Hospitals NHS Trust.
“We are working with them to minimise the harm to those affected,” it said.
The data theft happened in August, but Barts Health said there was no indication that trust data was at risk until last month, when the files were posted on the dark web.
“To date, no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web,” Barts said.
Dozens of Oracle EBS Environments Breached
Researchers revealed that Cl0p has been raiding the Oracle EBS flaw since early August, way before the Oracle rushed to fix for the vulnerability on 4 October. In November, the gang claimed to have breached dozens of Oracle EBS environments globally, gathering vendor records, internal financial documents, HR data, contracts, and other sensitive information.
“The syndicate exploited a loophole in the Oracle E-business Suite software, which automates key business processes. This impacted many organisations across the world, and Oracle has since corrected the issue.
We are working with NHS England, the National Cyber Security Centre, and the Metropolitan Police, and reported the breach to relevant regulators including the Information Commissioner’s Office,” Barts Health added.
Despite Barts’s plea to the High Court, Cl0p is already threatening to dump the NHS files on its dark web, injunction or not.
A Last-Ditch Effort to Limit Damage
John Carberry, Solution Sleuth at Xcape Inc, said: “Barts Health’s urgent court order to prevent data publication is a last-ditch effort to limit damage, but it’s unlikely to deter a cybercrime group on the dark web. This highlights the NHS’s increasing concern over data theft and extortion related to third-party enterprise software, not just clinical systems.”
He said this is particularly concerning, as it involves billing records and financial information of former staff, which can be used for fraud and phishing even without medical data. “The delay between the August theft and the November dark web posting also illustrates a common issue: victims often discover the breach only when criminals make it public.”
Carberry said Cl0p’s campaign targeting Oracle E-Business Suite users appears to be a systematic exploitation of a widely used platform, and Barts is just one prominent example of a victim. “The incident reveals that the UK’s largest trust failed to detect the data theft from its financial system for months, leaving essential infrastructure vulnerable.”
According to him, the greatest failure isn’t the zero-day itself; it’s the fact that Cl0p’s dark web leak site informed the NHS they were compromed three months before their internatl systems did.
An Injunction Won’t Stop CI0p
Michael Bell, Founder & CEO of Suzu Labs, added: “A High Court injunction won’t stop Cl0p from publishing stolen NHS data because ransomware crews operating from Russia and other sanctioned or non-extradition countries don’t recognize UK court orders, and the gang has already said as much by threatening to dump the files regardless.”
Bell said the three-month gap between the August theft and November discovery is the real story here, as outlined in the Barts statement.
“The NHS had no indication their data was at risk until Cl0p announced it publicly, which means detection failed entirely and the organization learned about the breach from the attacker, not their own security controls. This is Cl0p’s Oracle EBS campaign playbook being executed exactly as expected they exploited the vulnerability for two months before Oracle patched it, built an inventory of victims, and are now working through that list systematically.”
He advised healthcare entities who use Oracle EBS to assume they’re already compromised and focus on detection and containment rather than hoping they weren’t on Cl0p’s target list.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.