Barts Health Takes Legal Action After Oracle Data Breach
▼ Summary
– Barts Health NHS Trust has disclosed a data breach from its Oracle EBS system, where the Cl0p criminal group stole and posted files containing names and addresses of individuals who owed for treatment.
– The stolen data includes patient payment details, some former staff information, and supplier files, but the trust’s core clinical systems and patient records remain unaffected.
– Barts Health is seeking a High Court order to prevent the use of the breached data and is working with national authorities and regulators in response.
– This incident is part of a wider supply chain campaign exploiting Oracle EBS vulnerabilities, believed to have impacted around 100 global organizations.
– Although the data is currently limited to the dark web, there remains a high risk of it being used for identity fraud or phishing campaigns, which a court order is unlikely to prevent.
A major NHS trust has initiated legal proceedings following a significant data breach connected to its Oracle software systems. Barts Health NHS Trust is seeking a High Court injunction to block the sharing or use of stolen data, which was exfiltrated by the Cl0p ransomware gang. The compromised files contain names and addresses of individuals who were billed for hospital treatments or services over several years. The trust confirmed it is collaborating with national authorities, including NHS England and the Metropolitan Police, and has reported the incident to the Information Commissioner’s Office.
According to the trust’s statement, the stolen data originated from an Oracle E-Business Suite database holding invoice information. The breach did not impact electronic patient records or core clinical systems. Those affected potentially include former patients, suppliers, and some ex-employees who had outstanding financial agreements with the trust. The database also contained accounting service files for another NHS trust, Barking, Havering and Redbridge University Hospitals, with both organizations now working to mitigate potential harm.
This incident is part of a wider, ongoing campaign targeting unpatched vulnerabilities in Oracle EBS software. Following extortion attempts reported by Google in early October, Oracle had urged customers to apply critical patches issued months earlier. Over the past two months, numerous global entities, including universities, major corporations, and media outlets, have disclosed they are victims of the same supply-chain attack, with estimates suggesting around one hundred organizations are impacted.
While Barts Health stated the theft occurred in August and the data was only posted on the dark web in November, cybersecurity risks remain severe. The trust attempted to downplay the immediate threat, noting the information has not appeared on the general internet and is confined to encrypted dark web locations. Nevertheless, the exposure of personal information creates a substantial risk of identity fraud and sophisticated phishing campaigns targeting the affected individuals. Legal actions, such as the sought High Court order, are largely symbolic against international cybercriminal groups, highlighting the challenges organizations face in truly securing stolen data once it is in adversaries’ hands.
(Source: InfoSecurity Magazine)