NHS England is investigating the possibility that it has fallen victim to a prolific ransomware operation, after the Cl0p (aka Clop) gang claimed to have hacked its systems via a post to its dark web leak site made on 11 November.
At the time of writing, Cl0p has not named any specific NHS bodies or leaked any organisational or patient data. Nor have there been any outward-facing signs of a classic ransomware attack, such as IT outages or service disruptions, although Cl0p is among a number of cyber gangs known to conduct attacks that do not result in data encryption, preferring instead to stick to theft and extortion.
However, the NHS appears alongside other names, one of which, US newspaper The Washington Post, has confirmed that it fell victim to a Cl0p attack orchestrated via two distinct vulnerabilities in Oracle’s E-Business suite, patched earlier in the autumn. NHS England’s digital teams published an advisory notice covering the Oracle bugs – CVE-2025-53072 and CVE-2025-62481 – on 23 October.
In a statement circulated to media, an NHS England spokesperson confirmed there was a live investigation in progress, although they made no mention of ransomware or the Cl0p gang specifically.
“We are aware that the NHS has been listed on a cyber crime website as being impacted by a cyber attack, but no data has been published,” they said.
“Our cyber security team is working closely with the National Cyber Security Centre [NCSC] to investigate.”
The NCSC declined to comment directly on the investigation.
Lack of clarity
Notably, Cl0p’s somewhat vague dark web posting states only that it has hit the NHS, rather than one of the many distinct bodies that comprise Britain’s health service, as Graeme Stewart, Check Point head of public sector, observed.
“Cl0p hasn’t been clear about which part of the NHS they’ve hit, and from their statements, it’s not obvious they fully understand it themselves,” he said.
“That in itself is symptomatic of the wider issue. For NHS cyber security teams, this is simply another day-in-the-life, and that’s the real problem here. So yes, it’s a call to arms and a timely reminder of the need for sustained, sensible investment in NHS cyber security: in people, processes, and technology.
“But to borrow a line from David Byrne: ‘Same as it ever was.’ This is the reality now, and we must ensure the NHS is properly equipped to deal with it,” added Stewart.
Stewart said that behind the scenes, Check Point’s research teams had found healthcare organisations in the UK face over 1,100 cyber attack attempts per organisation per week, making the NHS one of the most targeted organisations in the country.
“Unfortunately,” he added, “it’s something we as a society have almost become accustomed to; these incidents occur every day.”
Earlier this week, Synnovis, a pathology services unit run in-part by Guy’s and St Thomas’ and King’s College NHS Trusts, began notifying its partners in the NHS of patient data exposure following a Qilin ransomware attack in the summer of 2024, which caused widespread disruption.
Patients impacted in this incident, which primarily affected NHS operations in South London, will be informed if their data was compromised by the relevant NHS organisations.
