NHS Probes Alleged Oracle EBS Breach Claimed by Cl0p Ransomware Group
The UK’s National Health Service (NHS) is currently investigating claims by the Cl0p ransomware group of a significant breach involving Oracle’s E-Business Suite (EBS). On November 11, 2026, Cl0p announced on their dark web leak site that they had infiltrated the NHS, criticizing the organization for allegedly neglecting patient security in favor of profits. The group stated, The company doesn’t care about its customers; it ignored their security.
This claim is part of a broader hacking campaign that has targeted numerous high-profile organizations since early October. The NHS, which provides services to over 1.3 million patients daily through its extensive network of hospitals and clinics, has acknowledged awareness of the claim. However, they emphasized that no data has been publicly disclosed. An NHS England spokesperson commented, We are aware that the NHS has been listed on a cybercrime website as being impacted by a cyber-attack, but no data has been published. The NHS’s cybersecurity team is collaborating with the National Cyber Security Centre (NCSC) to investigate the incident, highlighting the urgency in a sector already strained by ransomware disruptions.
The Oracle EBS campaign exploits CVE-2025-61882, a critical unauthenticated remote code execution vulnerability. This flaw allows attackers to bypass authentication and execute arbitrary code on unpatched Oracle EBS servers, which are commonly used for enterprise resource planning. Oracle released patches in late September, but adoption has been slow, particularly in legacy systems prevalent in healthcare. Cybersecurity analyst Jane Doe from ThreatWatch emphasized, Healthcare providers must prioritize patching and multi-factor authentication.
As of now, Cl0p’s leak site lists over 40 alleged victims from the Oracle EBS attacks, with data from 25 already published. These victims include Harvard University, Envoy Air (a subsidiary of American Airlines), industrial leaders Schneider Electric and Emerson, and media outlet The Washington Post. The compromised data ranges from employee personally identifiable information (PII) to proprietary business information.
For the NHS, the stakes are particularly high. Past ransomware incidents, such as the 2024 Qilin attack on a UK hospital that allegedly contributed to a patient’s death, highlight how such breaches can halt critical care, delay surgeries, and expose medical histories. The NHS investigation continues, with no confirmation of data exfiltration yet, but the incident serves as a stark reminder of ransomware’s growing menace to public services.
