NHS Trust launches legal action after cyberattack exposes patient and staff data
Barts seeks to ban the sharing of stolen data
Barts Health NHS Trust is taking legal action against a cybercrime group after personal data belonging to patients and staff was stolen and posted on the dark web.
The trust, which runs St Bartholomew's Hospital, Mile End Hospital, the Royal London Hospital, Newham Hospital and Whipps Cross Hospital, confirmed that names and addresses were among the files taken from a database containing invoicing information.
The cybercriminal group known as Cl0p exploited a loophole in automation software used by the trust. Oracle, which supplies the software, has since fixed the vulnerability.
The breach occurred in August, but the trust said it only became aware its data was at risk in November, when the files were uploaded online. So far, none of the information has appeared on the public internet.
The trust says it is "taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone".
In its statement, Barts Health said it was "very sorry that this has happened," adding that it was taking steps with its suppliers to ensure such a breach cannot be repeated. It also reassured patients that clinical systems remain secure.
"Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure."
The trust said the stolen information does not enable criminals to directly access bank or payment systems, but warned it could be misused to obtain more sensitive details or prompt fraudulent payments.
Patients who have received invoices have been advised to review them to understand what personal information might be at risk.
Information relating to former staff members who still owe money due to salary sacrifice arrangements or overpayments may also have been compromised.
The affected database also included files linked to accounting services for Barking, Havering and Redbridge University Hospitals NHS Trust since April 2024. Barts Health said it was collaborating with them to mitigate any potential harm.
The trust is working alongside NHS England, the Metropolitan Police and the National Cyber Security Centre, to investigate the incident.
What is Cl0p?
Cl0p, a Russian-speaking threat group, is considered one of the world's most prolific cybercriminal organisations. First observed in 2019, its ransomware attacks have targeted numerous global industries, including healthcare, retail, education, transport, energy and financial services.
It uses a variant of the CryptoMix ransomware.
In recent months, Cl0p has launched a growing extortion campaign against organisations using Oracle E-Business Suite.
Security researchers from Mandiant and Google reported in October that a wave of threatening emails warned corporate victims that stolen information would be published unless payment was made.
Oracle later confirmed a zero-day flaw in its E-Business Suite software and released an emergency patch.
Several high-profile organisations, including Harvard University, The Washington Post, Envoy Air and Logitech, have publicly disclosed breaches linked to similar Oracle exploits.
The Washington Post confirmed last month that attackers infiltrated its network for more than six weeks, exposing personal data belonging to nearly 10,000 current and former workers.
Cybersecurity experts say healthcare organisations remain a prime target for data theft and extortion operations, due to the high volume of personal and financial information they hold.
The investigation into the Barts Health breach is ongoing.