Barts Health NHS Confirms Data Theft via Oracle Zero-Day (Cl0p Ransomware)

Cyber Breaches Threat Intel today07/12/2025

Background
share close

Public Breach Analysis

Barts Health NHS Trust, one of the largest healthcare providers in England, has confirmed a significant data breach following a cyberattack by the Cl0p (Clop) ransomware gang. The breach also impacts the Barking, Havering, and Redbridge University Hospitals NHS Trust, for whom Barts provides accounting services.

The Attack Chain:

  • Vector: The attackers exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882. This flaw allows unauthenticated remote code execution (RCE), giving attackers full control over affected systems.
  • Timeline: The initial theft occurred in August 2025, but the Trust only became aware of the exfiltration in November 2025 when Cl0p published the stolen files on their dark web leak site.
  • The Data: The compromised database contained administrative and financial records, specifically:
    • Patient Invoices: Full names and addresses of private patients or those liable for treatment costs.
    • Employee Data: Records of former staff members who owed money to the Trust (e.g., salary overpayments).
    • Supplier Info: Publicly available details of goods and services providers.
    • Inter-Trust Data: Accounting files related to services provided to Barking, Havering, and Redbridge University Hospitals since April 2024.

Impact Assessment: Barts Health has stated that no electronic patient records or clinical systems were compromised. The attack was confined to back-office financial databases. However, the publication of data on the dark web poses a permanent privacy risk to affected individuals. The Trust is currently seeking a High Court order to legally ban the distribution of this data, though such measures are often unenforceable against cybercriminals.

Key Cybersecurity Insights

This incident underscores the continued threat of zero-day exploitation in critical infrastructure:

  • The “Zero-Day” Window: Cl0p exploited CVE-2025-61882 as a zero-day in August, months before many organizations applied the October patch. This “window of exposure” allowed them to harvest data silently from hundreds of victims, including Barts, Harvard University, and The Washington Post.
  • Silent Exfiltration (No Encryption): Unlike traditional ransomware attacks that lock systems immediately, Cl0p often focuses on pure data theft (extortion only). Barts Health’s IT operations were not disrupted, which explains why the breach went undetected for three months until the extortion phase began.
  • Third-Party Risk (Shared Services): The breach illustrates how shared service models in the NHS (Barts providing accounting for Barking & Havering) can aggregate risk. A vulnerability in one Trust’s software stack can compromise the data of another.

Mitigation Strategies

For Healthcare Organizations:

  • Patch Oracle EBS Immediately: Ensure the October 2025 Critical Patch Update (CPU) for Oracle E-Business Suite is applied. This vulnerability (CVE-2025-61882) is being actively exploited.
  • Review Outbound Traffic: Audit network logs from August 2025 to present for any large, unauthorized data transfers or connections to known Cl0p infrastructure.
  • Segregate Administrative Networks: Ensure that financial and administrative databases (like Oracle EBS) are strictly segmented from clinical patient record systems (EHR) to limit the blast radius of a breach.

For Affected Patients:

  • Check Invoices: If you have paid for treatment at Barts Health hospitals (Royal London, St Bartholomew’s, etc.), verify if your physical address or contact details were on those invoices.
  • Beware of “Callback” Scams: Criminals may use the stolen invoice data to call victims, posing as hospital administration, and demanding payment for “overdue bills.” Always verify such calls by contacting the hospital directly via their official website.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com

Written by: Threat Intel

Rate it
Previous post
Similar posts

Cyber Breaches Threat Intel / 07/12/2025

Barts Health NHS Confirms Data Theft via Oracle Zero-Day (Cl0p Ransomware)

Public Breach Analysis Barts Health NHS Trust, one of the largest healthcare providers in England, has confirmed a significant data breach following a cyberattack by the Cl0p (Clop) ransomware gang. The breach also impacts the Barking, Havering, and Redbridge University Hospitals NHS Trust, for whom Barts provides accounting services. The Attack Chain: Impact Assessment: Barts ...

Read more trending_flat

Cyber Breaches Threat Intel / 07/12/2025

New Credential Attacks Target Palo Alto & SonicWall VPNs via 3xK Infrastructure

Dark Web News Analysis A coordinated campaign has launched a new wave of attacks targeting Palo Alto GlobalProtect VPN portals and SonicWall SonicOS API endpoints. The activity, which began on December 2, 2025, originates from a massive botnet of over 7,000 IP addresses. Brinztech Analysis: Vendor Response: Palo Alto Networks has confirmed this is a ...

Read more trending_flat

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

Brinztech is a leading technology solutions provider dedicated to empowering businesses in the digital age. Founded in 2013

Useful Link
Contact Info
Follow us