**Oracle EBS Zero-Day Exploited by Clop Ransomware Gang to Breach Barts Health NHS**

Barts Health NHS has confirmed that it was breached by the notorious Clop ransomware gang, who exploited a zero-day vulnerability in its Oracle E-Business Suite (EBS) software. The attack, which occurred in August, exposed sensitive patient and financial data, including invoices containing full names and addresses of patients, details of former employees with debts, and information on suppliers.

The Clop ransomware gang has been actively exploiting the critical Oracle EBS zero-day vulnerability, CVE-2025-61882, since early August. This vulnerability allows attackers to steal sensitive data from numerous organizations worldwide, including Envoy Air, Harvard University, Washington Post, Logitech, University of Pennsylvania, and University of Phoenix.

Barts Health NHS, one of the largest NHS hospital trusts in the United Kingdom, based in London, has been affected by this attack. The trust provides a wide range of healthcare services, including acute, specialist, and community care, to a diverse population of over 2.5 million people across East and Central London.

According to Barts Health NHS, the stolen files include names and addresses of individuals who were liable to pay for treatment or services at a Barts Health hospital over several years. The organization noted that its electronic patient record and clinical systems are not affected, and it ensured that its core IT infrastructure is secure.

The data breach was detected in November when the stolen files were posted on the dark web. However, the theft occurred in August, but there was no indication trust data was at risk until November. To date, no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web.

Barts Health NHS notified the UK National Cyber Security Centre, Metropolitan Police, and the ICO about a data breach. Patients who made payments are advised to review invoices to identify exposed data and remain alert for suspicious or unsolicited messages, especially those requesting payments or sensitive information, to reduce the risk of fraud or identity misuse.

Oracle has since corrected the issue, but the incident highlights the importance of maintaining robust security measures to prevent such attacks. As the Clop ransomware gang continues to exploit zero-day vulnerabilities, it is essential for organizations to stay vigilant and take proactive steps to protect themselves from similar attacks.

Barts Health NHS Trust's statement on the data breach can be found here.

Stay informed about cybersecurity news and threats by following me on Twitter: @securityaffairs and Facebook and Mastodon.