National Health Service England is investigating the possibility that he was the victim of a prolific ransomware The operation comes after the Cl0p gang (also known as Clop) claimed to have hacked its systems by posting on its darknet leak site on November 11th.
At the time of writing, Cl0p has not named any specific NHS bodies or disclosed any details of organizations or patients. There were also no outward signs of a classic ransomware attack, such as IT infrastructure failures or service failures, although Cl0p is among a number of known cyber gangs that carry out attacks that do not result in data encryption, preferring instead to engage in theft and extortion.
However, the National Health Service appears alongside other names, one of which is the US newspaper. Washington Post, confirmed that he was the victim of a Cl0p attack, orchestrated through two separate vulnerabilities in the Oracle e-business package, corrected in the fall. NHS England Digital Teams published an advisory notice Description of Oracle bugs – CVE-2025-53072 and CVE-2025-62481 – October 23.
In a statement released to the media, a spokesperson for NHS England confirmed that the investigation was ongoing, although they did not specifically mention ransomware or the Cl0p gang.
“We are aware that the NHS is listed on a cybercrime website as having suffered a cyber attack, but no details have been published,” they said.
“Our cybersecurity team works closely with the National Cybersecurity Center. [NCSC] investigate”.
The NCSC declined to comment directly on the investigation.
Lack of clarity
Notably, Cl0p's somewhat vague post on the dark web only says that it affected the National Health Service, rather than one of the many individual organizations that make up the UK's health service, as Graham Stewart did. Checkpoint – noted the head of the public sector.
“Cl0p has not specified which part of the NHS they have affected and it is not clear from their statements that they themselves fully understand it,” he said.
“This in itself is a symptom of a wider problem. For NHS cybersecurity teams, it's just another day in the life, and it's a real problem. So yes, this is a call to arms and a timely reminder of the need for sustained and smart investment in NHS cybersecurity: in people, processes and technology.
“But to borrow a phrase from David Byrne: “Same as always.” This is now a reality and we must ensure the NHS is properly equipped to deal with this problem,” Stewart added.
Stuart said that behind the scenes, Check Point's research teams found that healthcare organizations in the UK face more than 1,100 attempted cyberattacks on the organization per week, making the National Health Service one of the most targeted organizations in the country.
“Unfortunately,” he added, “this is something that we as a society have become almost accustomed to; incidents like this happen every day.”
Earlier this week, Synnovis, the pathology services division partly managed by Guy's and St. Thomas And King's College NHS Trusts have started notifying their NHS partners about disclosure of patient data after the Qilin ransomware attack in the summer of 2024 caused widespread outages.
Patients affected by this incident, which primarily affected NHS operations in South London, will be informed if their data has been compromised by relevant NHS organisations.
