Barts Health Confirms Major Data Breach After Clop Exploits Oracle Zero-Day

Barts Health NHS Trust has acknowledged a major data security breach after the Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite, resulting in the exposure of sensitive patient information.

 

In a data security incident notice published on its website, Barts Health revealed that it had recently learned the Clop ransomware group accessed files from an invoice database and uploaded them to the dark web. The breach stemmed from the criminal group exploiting a zero-day vulnerability in the Oracle EBS platform, which the healthcare provider uses to manage key internal functions such as human resources, finance, and other operations.

 

Oracle E-Business Suite (EBS) is a widely used ERP platform that supports major business functions such as HR, finance, and supply chain management. The Clop ransomware group exploited a critical zero-day vulnerability — primarily CVE-2025-61882, with indications that CVE-2025-61884 may also be involved — in EBS’s BI Publisher component. This flaw allowed attackers to execute arbitrary code remotely without authentication, giving them broad control over affected systems.

 

An investigation into the incident found that the compromised invoices contained sensitive patient data, including “names and addresses of individuals who were liable to pay for treatment or services at a Barts Health hospital over several years.”

 

“Some former staff members are also listed because they left employment owing the trust for salary sacrifice or overpayment. Almost half of the potentially compromised files list suppliers of goods or services whose details are in the public domain.

 

“The database also includes files relating to accounting services we provided since April 2024 to Barking, Havering and Redbridge University Hospitals NHS Trust. We are working with them to minimise the harm to those affected,” Barts Health said.

 

The healthcare provider noted that its electronic patient record system, clinical systems, and core IT infrastructure were not impacted during the incident.

 

Barts Health said it is seeking a High Court order to prevent anyone from publishing, using, or sharing the data. The trust is working with NHS England, the National Cyber Security Centre, and the Metropolitan Police, and has reported the breach to regulators, including the Information Commissioner’s Office.