Oracle EBS zero-day used by Clop to breach Barts Health NHS

Clop ransomware stole data from Barts Health NHS after exploiting a zero-day in its Oracle E-Business Suite.

Barts Health NHS confirmed that Clop ransomware group stole data by exploiting zero-day CVE-2025-61882 in its Oracle E-Business Suite. The cybercrime group added the organization to its dark web data leak site and leaked the stolen information.

The Clop ransomware gang has been exploiting the critical Oracle EBS zero-day CVE-2025-61882 since early August, stealing sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix.

The Barts Health NHS breach exposed invoices containing full names and addresses of patients, details of former employees with debts, and information on suppliers. Compromised data also included accounting files related to services Barts provided since April 2024 to Barking, Havering, and Redbridge University Hospitals NHS Trust, affecting sensitive financial and personal records across multiple years.

“A criminal group known as Cl0p stole some files from a database containing invoices and posted them on the dark web. The stolen files include names and addresses of individuals who were liable to pay for treatment or services at a Barts Health hospital over several years.” reads the cyberattack update published by Barts Health NHS. “The syndicate exploited a loophole in the Oracle E-business Suite software, which automates key business processes. This impacted many organisations across the world, and Oracle has since corrected the issue.”

The organization noted that its electronic patient record and clinical systems are not affected, and it ensured that its core IT infrastructure is secure.

The data breach occurred in August, but it was detected in November when announced on the dark web.

“The theft occurred in August but there was no indication trust data was at risk until November when the files were posted on the dark web. To date no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web.” continues the update.

Barts Health NHS notified the UK National Cyber Security Centre, Metropolitan Police, and the ICO about a data breach. Patients who made payments are advised to review invoices to identify exposed data and remain alert for suspicious or unsolicited messages, especially those requesting payments or sensitive information, to reduce the risk of fraud or identity misuse.

Barts Health NHS Trust is one of the largest NHS (National Health Service) hospital trusts in the United Kingdom, based in London. It provides a wide range of healthcare services, including acute, specialist, and community care. The trust manages several major hospitals, such as St Bartholomew’s Hospital, Royal London Hospital, Whipps Cross University Hospital, and Newham University Hospital.

Barts Health serves a diverse population of over 2.5 million people across East and Central London and is a key provider of both routine and specialist medical services. It is also involved in teaching and research, collaborating with universities and medical research institutions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NHS)