Cl0p Attack Hits Barts Health: Full Invoice Database Leaked

Recent findings confirm that the notorious threat actor Cl0p exploited a zero-day vulnerability in Oracle E‑Business Suite (CVE-2025-61882) to breach Barts Health NHS Trust. Attackers exfiltrated years of invoice data including names, addresses, and billing records of patients, staff, and suppliers then posted the haul on the dark web. The breach impacts not only Barts Health, but also several partner institutions that rely on its accounting services. Below is a detailed breakdown of what we know, who’s affected, and how you can respond if you might be at risk.

𝗪𝗵𝗮𝘁 𝗪𝗮𝘀 𝗦𝘁𝗼𝗹𝗲𝗻 / 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱

The compromised dataset reportedly includes:

• Invoices for treatment or services rendered over multiple years covering full names and home addresses of paying patients.

• Records of former staff who owed overpayments or salary-sacrifice balances to the Trust.

• Details of suppliers and vendors, especially those with existing contracts or outstanding invoices, some of whose data is already publicly accessible but now compiled in a potentially exploitable dataset. 

• Accounting records related to services Barts Health provided to Barking, Havering and Redbridge University Hospitals NHS Trust since April 2024. 

Authorities emphasize that the leak does not include clinical records or electronic patient-care systems. The breach appears confined to financial/invoicing data only. 

𝗛𝗼𝘄 𝗧𝗵𝗲 𝗔𝘁𝘁𝗮𝗰𝗸 𝗛𝗮𝗽𝗽𝗲𝗻𝗲𝗱: 𝗖𝗩𝗘-2025-61882 + 𝗢𝗿𝗮𝗰𝗹𝗲 𝗘-𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗦𝘂𝗶𝘁𝗲

Cl0p took advantage of a critical vulnerability in Oracle E-Business Suite tracked as CVE-2025-61882. This zero-day flaw allowed unauthorized actors to bypass authentication and extract database contents from vulnerable deployments. The initial exploit reportedly occurred in August 2025, though Barts Health only realized the breach when the stolen data surfaced on a darknet leak portal in November 2025. Oracle has since issued a patch to close the vulnerability. Any organizations still running outdated versions of Oracle E-Business Suite remain at high risk for similar data theft.

𝗪𝗵𝗼 𝗜𝘀 𝗠𝗶𝘀𝘀𝗶𝗻𝗴 𝗮𝗻𝗱 𝗪𝗵𝗮𝘁 𝗔𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲 𝗛𝗮𝘀 𝗯𝗲𝗲𝗻 𝗴𝗶𝘃𝗲𝗻

Barts Health publicly confirmed that:

• Their core clinical systems and electronic patient-record platforms remain unaffected. 

• No known patient-care data was exposed; the leak only involves financial records and invoices. 

• The Trust is actively seeking a High Court order to prevent misuse, publication, or further sharing of the stolen data. 

• They’re coordinating with NHS England, National Cyber Security Centre (NCSC), Metropolitan Police Service cyber-units, and the Information Commissioner’s Office (ICO). 

𝗣𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝗥𝗶𝘀𝗸𝘀 𝗳𝗼𝗿 𝗦𝘁𝗮𝗳𝗳, 𝗣𝗮𝘁𝗶𝗲𝗻𝘁𝘀 & 𝗦𝘂𝗽𝗽𝗹𝗶𝗲𝗿𝘀

Even though the leak excludes medical history or clinical data, the exposed invoice information still poses serious risks:

• Fraudsters may use addresses and names to craft convincing phishing or social-engineering campaigns, posing as hospital staff or billing departments.

• Suppliers and former staff included in the leak may experience identity theft or blackmail attempts, especially if their financial or employment status shows vulnerability.

• Individuals with outstanding payments or overpayments could be targeted with fake invoices or impersonation scams.

• Because the data now exists on darknet leak portals, long-term exposure risk remains once data is out, removal is nearly impossible, even with court orders.

𝗪𝗵𝗮𝘁 𝗣𝗮𝘁𝗶𝗲𝗻𝘁𝘀 𝗮𝗻𝗱 𝗔𝗳𝗳𝗲𝗰𝘁𝗲𝗱 𝗣𝗲𝗿𝘀𝗼𝗻𝘀 𝗖𝗮𝗻 𝗗𝗼 𝗡𝗼𝘄

• Review any invoices received from Barts Health in the past few years. Ensure name and address match expected; verify no irregular charges.

• Remain alert for unsolicited calls, mails, or emails claiming to be from the hospital billing department especially if they demand additional payments or sensitive info.

• If you’re a former employee or supplier double-check payment statements, outstanding balance communications, or overpayment notifications.

• Consider placing a fraud alert or credit-monitoring alert with your bank or credit bureau (if applicable).

• Report any suspicious contacts to law-enforcement and/or the hospital’s data protection officer (as recommended by the Trust).

𝗪𝗵𝘆 𝗧𝗵𝗶𝘀 𝗕𝗿𝗲𝗮𝗰𝗵 𝗠𝗮𝘁𝘁𝗲𝗿𝘀: 𝗪𝗶𝗱𝗲𝗿 𝗟𝗲𝘀𝘀𝗼𝗻𝘀 𝗳𝗼𝗿 𝗛𝗲𝗮𝗹𝘁𝗵𝗰𝗮𝗿𝗲 𝗜𝗧 𝗣𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀

For security experts and IT teams in healthcare, this incident serves as a stark reminder:

• Legacy enterprise software like Oracle E-Business Suite even inside large NHS Trusts remains a prime target for cybercriminals.

• Zero-day vulnerabilities in widely used platforms represent a systemic risk to multiple institutions simultaneously.

• Entire supply-chain and vendor data (suppliers, external contractors, partner hospitals) can get dragged into a breach calling for integrated security across all linked entities.

• Response must include not only patching, but rapid detection, dark-web monitoring, legal containment strategies (e.g., court orders), and public communication/remediation for affected individuals.

Healthcare orgs must treat financial/administrative systems with the same vigilance as clinical ones.

𝗙𝗔𝗤s

Q: Does this breach affect my medical records or treatment history?
A: No. The leaked data only relates to invoices, payments, and financial records. Clinical systems and electronic patient records remain secure. 

Q: Which hospitals are included under Barts Health?
A: Barts Health runs several hospitals including St Bartholomew’s Hospital, The Royal London Hospital, Mile End Hospital, Newham Hospital, and Whipps Cross University Hospital.

Q: Could this leak lead to identity theft or fraud?
A: Yes. Exposed names, addresses, and payment history can be used in phishing, social-engineering, or fake invoice scams particularly targeting patients, former staff, or suppliers.

Q: What should I do if I receive suspicious contact claiming to be from the hospital billing department?
A: Do not respond. Instead, contact Barts Health via official channels and verify any requests through formal billing or data-protection offices.

Q: Has the vulnerability been patched yet?
A: Yes. Oracle released a patch for CVE-2025-61882 after the breach was disclosed. Organizations running Oracle E-Business Suite must apply the update immediately.