Here is the complete article.

title: "Barts Health NHS: Clop Ransomware Oracle Zero-Day Breach" date: 2026-06-25 slug: barts-health-nhs-oracle-zero-day-ransomware

Barts Health NHS: Clop Ransomware Oracle Zero-Day Breach

Barts Health NHS Trust, one of the largest healthcare providers in England, has confirmed a data breach stemming from a zero-day exploit in Oracle software and a subsequent ransomware data-theft attack. The Clop (Cl0p) ransomware gang infiltrated the trust's systems, stole files containing personal data, and has begun leaking the stolen information on the dark web. The trust operates five hospitals across London and serves a large population, placing potentially thousands of individuals at risk. Barts has notified the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).

What Happened

According to the disclosure, the Clop ransomware gang exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS) software to gain access to Barts Health NHS systems. The intrusion occurred in August 2025, but the full extent of the breach did not become apparent until November, when the stolen data surfaced.

The attackers exfiltrated files rather than encrypting systems, consistent with Clop's well-documented data-extortion model. The compromised database held Barts' own records as well as sensitive information tied to accounting services the trust provided to another NHS trust, widening the blast radius beyond a single organization. Barts has since pursued legal action to prevent further publication or sharing of the exposed data, though the practical effectiveness of such measures against a dark-web leak remains uncertain.

What Was Taken

The stolen files include invoices spanning multiple years. These invoices expose the full names and addresses of individuals who sought treatment or services at Barts Health hospitals. The breach also reached beyond patients, exposing data belonging to former employees and suppliers.

Critically, the compromised database contained information related to accounting services provided to a second NHS trust, meaning the data of multiple organizations was caught up in a single intrusion. Barts has stated that the attack did not compromise patient medical records or clinical systems. Even so, the combination of full names, home addresses, and billing relationships is more than enough to fuel convincing phishing, fraud, and social-engineering campaigns against affected individuals.

Why It Matters

Healthcare remains one of the most targeted sectors for data-extortion crews, and this incident shows why. Even when clinical systems are untouched, the administrative and financial periphery — billing, invoicing, supplier records, and shared accounting services — holds richly exploitable personal data. The cross-trust exposure is particularly significant: a breach at one organization spilled into another simply because shared back-office services concentrated data in one place.

This is also part of a much larger campaign. Clop has been exploiting the same Oracle flaw against organizations worldwide, with reported victims including Envoy Air, Harvard University, and multiple other universities and media organizations. For defenders, the lesson is that a single widely deployed enterprise application can become a mass-compromise vector across entirely unrelated sectors.

The Attack Technique

The breach was driven by Clop's exploitation of CVE-2025-61882, a critical zero-day vulnerability in Oracle E-Business Suite. The gang has been abusing this flaw since early August 2025 to steal private data from organizations across the globe, leaving a trail of breaches in its wake.

Clop's playbook is consistent: identify a vulnerability in a widely used file-transfer or enterprise application, exploit it at scale as a zero-day before patches are broadly applied, mass-exfiltrate data, and then extort victims through threats of public release on their dark-web leak site. The Oracle EBS campaign follows the same pattern the group used in prior mass-exploitation events against managed file-transfer platforms, trading network encryption for pure data theft and extortion leverage.

What Organizations Should Do

• Patch Oracle E-Business Suite immediately. Apply Oracle's emergency fix for CVE-2025-61882 and verify it across all EBS instances, including test, staging, and legacy deployments.
• Hunt for prior compromise. Assume exploitation may predate patching and review logs from early August 2025 onward for signs of unauthorized access, unusual data access, and large outbound transfers tied to EBS.
• Inventory and isolate shared services. Map where shared accounting, billing, and back-office systems concentrate data across multiple organizations, and segment them to contain cross-tenant exposure.
• Restrict internet exposure of enterprise apps. Place EBS and similar applications behind VPNs or zero-trust access controls rather than exposing administrative interfaces directly to the internet.
• Strengthen exfiltration detection. Deploy and tune data-loss-prevention and egress monitoring to flag large or anomalous outbound transfers, the hallmark of Clop's theft-based attacks.
• Prepare affected individuals. Notify patients, former employees, and suppliers, and advise them to scrutinize invoices and stay alert to unsolicited communications requesting sensitive information or payment.

Sources: Barts Health NHS Data Breach: Oracle Zero-Day Hack & Ransomware Attack (2026)