The Cl0p ransomware gang claimed to attack the NHS through a post on its dark web leak site on November 11, 2025, prompting NHS England to launch an investigation with the National Cyber Security Centre.
On November 11, 2025, the Cl0p ransomware gang posted a claim on its dark web leak site stating it had hacked NHS systems. As of November 14, 2025, the gang has not named specific NHS bodies or leaked organizational or patient data. The NHS appeared on Cl0p's leak site alongside other organizations, including The Washington Post, which confirmed it was victimized by Cl0p through two vulnerabilities in Oracle's E-Business suite. These vulnerabilities, CVE-2025-53072 and CVE-2025-62481, were patched earlier in autumn 2025. NHS England's digital teams published an advisory notice covering these Oracle bugs on October 23, 2025. NHS England confirmed it is investigating the incident with the NCSC but has not confirmed ransomware involvement or mentioned the Cl0p gang specifically.
Cl0p is among several cyber gangs known to conduct attacks without encrypting data, preferring theft and extortion instead. The gang's dark web posting states only that it hit "the NHS" rather than identifying specific bodies within Britain's health service. The NCSC declined to comment directly on the investigation. Earlier in the same week as the Cl0p claim, Synnovis, a pathology services unit run in part by Guy's and St Thomas' and King's College NHS trusts, began notifying NHS partners of patient data exposure following a Qilin ransomware attack in summer 2024 that caused disruption in south London.
An NHS England spokesperson stated: "We are aware that the NHS has been listed on a cyber crime website as being impacted by a cyber attack, but no data has been published. Our cyber security team is working closely with the National Cyber Security Centre [NCSC] to investigate."
Ransomware gangs like Cl0p conduct attacks that don't encrypt data but focus on data theft and extortion. These operations exploit vulnerabilities in widely-used enterprise software, like Oracle's E-Business suite, to gain access to systems. The gang then threatens to publish stolen data unless ransom demands are met. The NHS comprises many distinct bodies rather than a single organization, which complicates attribution when attackers make vague claims about targeting "the NHS" without specifying which component was affected.
This incident shows the ongoing vulnerability of critical healthcare infrastructure to ransomware operations that exploit enterprise software flaws. The attack comes just months after the Synnovis breach disrupted NHS operations in south London, demonstrating how healthcare organizations face persistent, repeated targeting by different ransomware gangs. The exploitation of Oracle E-Business suite vulnerabilities is concerning because these systems are widely used across healthcare and other sectors, potentially exposing multiple organizations simultaneously.
Cl0p often exploits unpatched vulnerabilities in widely used software to gain entry.
Threat actors sometimes publish broad claims to create pressure even before verifying their own intrusion.
Yes, these vulnerabilities impact any sector using the affected Oracle suite.
Data-theft-focused groups skip encryption and instead exfiltrate information for extortion.
Healthcare environments often have complex, interconnected systems that are difficult to secure fully.