Barts Health NHS Trust, a major healthcare provider in England, announced that Clop ransomware actors have stolen files from one of its databases after exploiting a vulnerability in its Oracle E-business Suite software.

The stolen data are invoices spanning several years that expose the full names and addresses of individuals who paid for treatment or other services at Barts Health hospital.

Information of former employees who owed money to the trust, and suppliers whose data is already public, has also been exposed, the organization says.

In addition to Barts' files, the compromised database include files concerning accounting services the trust provided since April 2024 to Barking, Havering, and Redbridge University Hospitals NHS Trust.

Cl0p ransomware has leaked the stolen information on their leak portal on the dark web.

"The theft occurred in August, but there was no indication that trust data was at risk until November when the files were posted on the dark web," explained Barts.

"To date no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web."

The hospitals operator stated that it is in the process of getting a High Court order to ban the publication, use, or sharing of the exposed data by anyone, though such orders have limited effect in practice.

Barts Health NHS Trust runs five hospitals throughout the city of London, namely Mile End Hospital, Newham University Hospital, Royal London Hospital, St Bartholomew's Hospital, and Whipps Cross University Hospital.

The Clop ransomware gang has been exploiting a critical Oracle EBS flaw tracked as CVE-2025-61882 as a zero-day in data theft attacks since early August, stealing private information from a large number of organizations worldwide.

Victims that have confirmed impact from Cl0p ransomware's campaign include Envoy Air, Harvard University, GlobalLogic, Washington Post, Logitech, Dartmouth College, the University of Pennsylvania, and the University of Phoenix.

Barts has already informed the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner's Office (ICO) about the data theft incident.

The healthcare organization assured that Clop's attack did not impact its electronic patient record and clinical systems, and it is confident that its core IT infrastructure remains secure.

Patients who have paid Barts are recommended to check their invoices to determine what data was exposed and to stay vigilant for unsolicited communications, especially messages that request payment or the sharing of sensitive information.