Barts Health NHS Breach via Oracle Zero‑Day (CVE‑2025‑61882)

Incident overview

Who: Barts Health NHS Trust, one of England’s largest healthcare providers (five hospitals across London).
What: Clop ransomware actors exploited a zero‑day in Oracle E‑Business Suite (CVE‑2025‑61882) to steal files.
When: Breach occurred in August 2025, but data exposure was only confirmed in November when files appeared on Clop’s dark web leak portal.
Data exposed:
- Invoices with names and addresses of patients who paid for treatment/services.
- Information about former employees who owed money.
- Supplier data (some already public).
- Accounting files linked to Barking, Havering, and Redbridge University Hospitals NHS Trust (since April 2024).

Scope of Clop’s campaign

Clop has been exploiting CVE‑2025‑61882 since early August against multiple organizations worldwide.
Confirmed victims include Envoy Air, Harvard University, GlobalLogic, Washington Post, Logitech, Dartmouth College, University of Pennsylvania, and University of Phoenix.

Barts Health response

Reported incident to the National Cyber Security Centre (NCSC), Metropolitan Police, and Information Commissioner’s Office (ICO).
Seeking a High Court order to restrict publication or use of stolen data (though enforcement is limited against cybercriminals).
Assured that electronic patient records and clinical systems were not impacted.
Advises patients to:
- Review invoices to understand what data may have been exposed.
- Stay vigilant for phishing or fraud attempts (e.g., unsolicited payment requests).

Why this matters

Healthcare sector risk: Even non‑clinical data (like invoices) can be weaponized for fraud, identity theft, or social engineering.
Oracle EBS zero‑day exploitation: Highlights the importance of rapid patching and monitoring of enterprise software.
Clop’s tactics: Focused on data theft and extortion, not encryption, making detection harder until leaks appear.

Actionable steps for organizations