A leading NHS trust has become the latest organization to notify about a data breach linked to its use of Oracle E-business Suite (EBS).
Barts Health said in an update on Friday that it is seeking a High Court order to prevent the sharing, publication or use of the breached data.
“A criminal group known as Cl0p stole some files from a database containing invoices and posted them on the dark web. The stolen files include names and addresses of individuals who were liable to pay for treatment or services at a Barts Health hospital over several years,” it explained.
“We are working with NHS England, the National Cyber Security Centre, and the Metropolitan Police, and reported the breach to relevant regulators including the Information Commissioner’s Office.”
Read more on Oracle EBS breach: GlobalLogic Becomes Latest Cl0p Victim After Oracle EBS Attack
The trust’s electronic patient records, clinical systems and core IT infrastructure are unaffected by the breach, although those affected could include suppliers, former employees and patients at other hospitals.
“Some former staff members are also listed because they left employment owing the trust for salary sacrifice or overpayment. Almost half of the potentially compromised files list suppliers of goods or services whose details are in the public domain,” the notice continued.
“The database also includes files relating to accounting services we provided since April 2024 to Barking, Havering and Redbridge University Hospitals NHS Trust. We are working with them to minimise the harm to those affected.”
A Long-Running Breach
Back in early October, Oracle urged customers to patch nine vulnerabilities released in its July patch update after reports from Google that some executives had received extortion emails.
The past two months have seen a slow and steady number of organizations reveal that they were impacted by the supply chain campaign. They include Harvard University, Allianz UK, The Washington Post, Dartmouth College, University of Pennsylvania, Broadcom and Abbott Laboratories.
Around 100 organizations are believed to have been impacted.
Barts Health tried to play down the seriousness of the breach.
“The theft occurred in August but there was no indication trust data was at risk until November when the files were posted on the dark web,” it said.
“To date no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web.”
However, the risk of that data falling into the wrong hands and being weaponized for identity fraud and/or follow-on phishing campaigns, remains high. Any High Court judgement would have little to no impact on the activities of transnational cybercriminals, for example.
Image credit: Ian Dewar Photography / Shutterstock.com