UK’s Barts Health NHS Trust confirmed that Cl0p ransomware actors accessed and stole files containing invoice data for patients, staff and suppliers. The trust stated that the compromised material held names and addresses connected to payment obligations for treatment or services issued across several years. Individuals affected include patients who received invoices after treatment, staff whose records reflected salary sacrifice arrangements or overpayment recoveries, and suppliers whose details appeared in a large proportion of the accessed documents. The trust also reported that the same database held accounting records for Barking Havering and Redbridge University Hospitals NHS Trust for work carried out since April 2024. Those records may have been part of the compromised dataset.
The trust said that the incident did not affect electronic patient records or clinical systems. It emphasised that the affected files related only to invoice and billing information rather than detailed medical records. According to the disclosure, the trust learned of the exposure in November 2025 when the files were identified on the dark web. The intrusion occurred in August 2025, but the trust was not aware of the data theft until the material was uploaded by the attackers months later.
The trust indicated that the information in the leaked files does not provide direct access to bank accounts. It stated that the data could still be used in fraudulent payment requests or confidence scams that rely on accurate personal details. Individuals who appear in the files could be at risk of targeted attempts to solicit payments or to exploit invoice-related information for criminal purposes. The trust encouraged affected parties to remain cautious when reviewing correspondence that references invoices or outstanding balances.
Barts Health stated that the attackers exploited a zero-day vulnerability in Oracle E-Business Suite software. This vulnerability affected multiple organisations internationally before a patch was issued. According to the trust, the flaw allowed unauthorised access to the invoice database. The trust said it acted to investigate the source of the attack once the stolen files were discovered online. External specialists were engaged, and national agencies were informed. Notifications were provided to NHS England, the National Cyber Security Centre and the Metropolitan Police Service. The trust also reported the incident to the relevant data regulators.
Barts Health is seeking a High Court order intended to prevent any publication, use or further distribution of the stolen information. The trust stated that it would cooperate with legal authorities to restrict access to the files where possible. It is also working with suppliers to review and strengthen existing security controls in systems that handle invoice and accounting data. The trust said that these steps are part of a longer-term effort to reduce exposure to similar attacks.
The trust advised individuals who have received invoices during the relevant time period to review those documents to determine whether their details could be part of the compromised dataset. It is recommended that people remain attentive to unexpected communications requesting payment or personal information. The trust said it will provide further updates as the investigation continues and as additional information becomes available.