NHS Among Victims as Global Hack on Oracle Software Compromises Health Data

A global cyberattack pulled a major London hospital group right into the middle of it. The hackers got their hands on years of sensitive patient and financial data.

The breach exploited a secret flaw in common business software. It went undetected for months before the stolen files appeared online.

Oracle Software Flaw Used in Worldwide Spree

A big UK hospital group, Barts Health NHS Trust, has confirmed that it was hit by a major data breach. The Clop ransomware gang got in and stole files straight from their systems.

This actually happened in August—hackers slipped in through a “zero-day” hole in Oracle’s E-Business Suite, which a lot of businesses use to keep things running.

Oracle patched the issue afterward. They labeled the fix as CVE-2025-61882. But Clop had already exploited it against many high-profile targets. These included Harvard University, the Washington Post, and Logitech.

Barts Health only discovered its data was compromised in November. The gang added the trust to its dark web leak site and published the files.

What Patient and Financial Data Was Stolen?

The exposed data is contained within invoices and accounting files. It does not include medical records or clinical systems, which remain secure.

The stolen files contain full names and addresses of patients liable to pay for treatment. Details of former employees with debts and supplier information were also leaked.

Some files related to services provided to another NHS trust since April last year. This means the breach affects sensitive financial records across multiple years.

“The risk is limited to those able to access compressed files on the encrypted dark web,” Barts Health stated. No information has been published on the general internet yet.

The trust has notified UK cybersecurity authorities and the police. It urged patients affected to review their old invoices and be vigilant in case they receive suspicious messages (think phishing attempts or scam related to the stolen data).

According to reports, Barts is taking the matter to court and is seeking a ban to stop anyone from sharing or posting the stolen data online.

The Clop Ransomware and How It Works

Clop is far more than a simple virus. It’s a really complex setup run by cyber crooks thought to operate on a ransomware-as-a-service basis, and they are probably from Russian-speaking areas.

They create the malicious software and rent it out to other criminals. Simple as that. Their attacks are multi-step and manual. The hackers force their way in first, most times through phishing emails or loopholes in pieces of software. They then explore networks to steal data before deploying any encryption.

Recently, Clop has shifted tactics. Like in the Barts Health attack, they often skip encrypting files altogether. They focus purely on stealing data and then threatening to leak it. This “double extortion” puts immense pressure on victims. Their history shows a pattern of exploiting specific, popular software. Before the Oracle flaw, they massively hacked MOVEit file transfer software in 2023, in an attack that compromised a major healthcare data pipeline. That one attack compromised over 62 million individuals.

In fact, this new attack on NHS data uses the exact same playbook they perfected just last month, when they famously breached the security giant Entrust using a different Oracle zero-day. It shows they’re systematically hunting for weaknesses in the software that powers critical organizations worldwide.

The U.S. government has already identified this ransomware group as a big threat to the point that, in 2023, it willingly offered $10 million as a reward for whoever came forward with info about them via an official X post.

Experts say the simplest things are key to staying safe from their attacks. Update all software immediately, especially after a patch is announced. Train staff to recognize phishing attempts. And always maintain offline, secure backups of critical data.