Notorious ransomware gang Clop is back with another bold claim, this time insisting it hacked “the NHS,” The Register reports.
Which part of the sprawling UK healthcare system? The gang doesn’t say. It listed only the NHS.uk domain on its leak site on November 11 and published no data. For a system made up of hundreds of trusts, agencies, and regional bodies, that’s not much to go on.
The extortion crew has spent recent months exploiting an Oracle E-Business Suite zero-day to hit private organizations. Adding “the NHS” to its victim roster sounds dramatic, but the lack of specifics raises a simple question: Does Clop even know which organization it touched?
Its supporting details don’t inspire confidence. Clop claimed the NHS generates $234 billion in annual revenue, a figure suspiciously close to a quick Google result for the Department of Health and Social Care’s 2023/24 budget. More recent budgets are higher, but accuracy has never been a priority for cybercriminals trying to inflate their targets’ value.
Asked about Clop’s claims, NHS England didn’t confirm an intrusion. It didn’t deny one either. A spokesperson told The Register: “We are aware that the NHS has been listed on a cybercrime website as being impacted by a cyberattack, but no data has been published. Our cybersecurity team is working closely with the National Cyber Security Centre to investigate.”
If Clop did break into part of the health service, extortion won’t get them far. The NHS is chronically underfunded, stretched across legacy systems, and firmly committed to not paying ransoms. Criminal groups have tried before, and they’ve walked away empty-handed. Meanwhile, every attack disrupts care and puts patients at risk, which is why security officials have long argued the NHS should be off limits.
Despite that, criminals continue to circle it. The NHS is one of Europe’s largest employers and depends on tightly interlinked systems to keep hospitals running. Its Oracle EBS handles significant volumes of sensitive data, which makes any potential breach a serious concern for investigators.
Regardless of what Clop claims, the gang faces a shrinking window to squeeze money from UK public bodies. The government is pushing forward with a proposal to ban ransom payments across the public sector. If it becomes law, even the few entities that might once have debated paying criminals won’t legally be able to.
For now, the NHS and the NCSC are trying to determine what, if anything, happened. Clop is making noise without offering evidence. And patients are once again stuck in the middle while cybercriminals posture for attention.
Graeme Stewart, head of public sector at Check Point Software, said: “This is yet another attack on the NHS. Unfortunately, it’s something we, as a society, have almost become accustomed to; these incidents occur every single day. Most never reach the mainstream media, but Check Point Research shows that healthcare organisations in the UK face an average of 1,134 cyberattacks per organisation per week.”
He says healthcare remains one of the most targeted sectors in the country.
“Clop hasn’t been clear about which part of the NHS they’ve hit, and from their statements, it’s not obvious they fully understand it themselves. That in itself is symptomatic of the wider issue. For NHS cybersecurity teams, this is simply another day in the life, and that’s the real problem here. So yes, it’s a call to arms and a timely reminder of the need for sustained, sensible investment in NHS cybersecurity: in people, processes, and technology.”
But to borrow a line from David Byrne: “Same as it ever was.” This is the reality now, and we must ensure the NHS is properly equipped to deal with it,” Stewart adds.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.