Barts Health NHS Trust Launches Legal Action After Cyberattack Exposes Patient and Staff Data

In December 2025, Barts Health NHS Trust – one of the UK’s largest hospital trust, confirmed it was the victim of a major cyberattack orchestrated by the Cl0p ransomware gang. This incident, a significant NHS cyberattack, led to the theft of sensitive patient and staff data, making it one of the most high-profile healthcare data breach events of the year. The breach has raised serious concerns about digital health security across the National Health Service and beyond.

• Cl0p hackers exploited a zero-day vulnerability in Oracle’s enterprise software (E-Business Suite) to gain access to Barts Health’s finance database.

• Stolen records – including patient and staff names, addresses, and invoice records – were exfiltrated in August 2025 and posted on the dark web in November 2025.

• Electronic Patient Records (EPR) and core clinical systems were not affected by the attack, according to the trust’s statement.

• Barts Health responded with urgent legal action, seeking a High Court injunction and collaborating with national authorities to investigate.

What Happened in the Barts Health Cyberattack?

The cyberattack on Barts Health NHS Trust was carried out by a criminal group known as Cl0p, which exploited a zero-day flaw in Oracle’s E-Business Suite (EBS). This flaw allowed attackers to infiltrate the trust’s business systems in August 2025, stealing data from a financial database used for invoicing. Barts only discovered the breach in November 2025 when the files appeared on Cl0p’s dark web leak site. The trust publicly disclosed the incident on 5 December 2025.

Data Compromised: Invoice Records Only, Not Clinical Systems

The breach involved invoice data stored in a non-clinical database. The stolen files contained:

• Names and home addresses of patients who had paid for treatments or services

• Data on some former staff members (e.g., those with payroll-related overpayments)

• Supplier-related financial records

Notably, no clinical records or Electronic Patient Records were affected. Barts confirmed that hospital care systems remained secure. The stolen data could, however, be misused for phishing or fraud. Barts Health is directly contacting individuals whose data may have been exposed, especially those who received invoices, advising them to stay alert.

Barts Health’s Response and Legal Action

Upon discovering the breach, Barts Health launched legal action by seeking a High Court injunction to prevent the dissemination of the stolen data. While such injunctions cannot stop cybercriminals overseas, they can deter legitimate UK entities from inadvertently sharing or hosting the compromised files.

The trust also reported the breach to:

• The Information Commissioner’s Office (ICO)

• The National Cyber Security Centre (NCSC)

• NHS England

• The Metropolitan Police

These agencies are supporting Barts in containment, investigation, and future risk mitigation.

Impact on Barking, Havering and Redbridge Trust

The breach also affected Barking, Havering and Redbridge University Hospitals NHS Trust (BHRUT). Barts provides financial services to BHRUT, and some of its invoice records were stored in the compromised database. Barts Health confirmed it is working closely with BHRUT to limit any harm and inform affected individuals.

Cl0p Ransomware Group: A Known Threat

The Cl0p ransomware gang is a well-known Russian-speaking cybercriminal organisation. They specialise in data theft and extortion. Cl0p previously exploited zero-day vulnerabilities in secure file transfer systems and was behind the 2023 MOVEit breach that affected thousands of organisations worldwide.

In this campaign, Cl0p used the Oracle EBS vulnerability (CVE-2025-61882) to steal data from Barts and numerous other institutions globally. Oracle has since released a patch, but the flaw was unknown (zero-day) at the time of the breach, making it undetectable until after the attack.

Digital Health Security Lessons and the Role of Cyber Essentials

This incident underscores the urgency for supply chain cybersecurity and digital resilience in the healthcare sector. As hackers increasingly target third-party software, healthcare providers must ensure their vendors meet high cybersecurity standards.

Cyber Essentials, a UK government-backed framework, outlines five basic security controls:

• Firewalls

• Secure configuration

• User access control

• Malware protection

• Timely patch management

Although Cyber Essentials alone cannot stop zero-day exploits like the one used in this attack, it emphasises fast patching once fixes become available, a critical defence. Barts has stated it is now working with suppliers to prevent similar incidents.

The Barts Health NHS cyberattack demonstrates how third-party vulnerabilities can result in significant healthcare data breaches. With no clinical systems compromised, the operational impact was limited, but the exposure of personal and financial details raises serious privacy concerns.

Barts Health’s swift legal and regulatory response is commendable. Going forward, NHS organisations must adopt a holistic cybersecurity strategy that covers internal systems and supplier risk, with frameworks like Cyber Essentials playing a supporting role. This incident, while serious, offers an opportunity for the sector to raise its security standards and build public trust in digital health systems.