Following a recent incident involving data from our Trust, there is a risk some personal data has been compromised.

A criminal group known as Cl0p stole some files from a database containing details of invoices and payments to customers and suppliers and posted them on the dark web. The files include personal details such as names and addresses of some patients and staff members.

We are sorry this has happened and we are taking it extremely seriously.

Barts Health manages the contract for us with Oracle, the supplier of our financial management system. We are working with NHS England, the National Cyber Security Centre, the Met Police Cyber Incident Team, and the National Crime Agency. The breach has also been reported to the relevant regulators including the Information Commissioner’s Office.

Barts Health are taking urgent action and are seeking a High Court order to ban the publication, use or sharing of the data by anyone.

CI0p exploited a loophole in the Oracle E-Business Suite software that automates key business processes. It has impacted many organisations across the world and Oracle has now removed the loophole.

The database was hosted on the Oracle cloud and included information relating to some of our patients (who were liable to pay for their tests or treatment), some members of staff (including those who owe the organisation money after receiving an overpayment) and suppliers.

A large proportion of our compromised files list suppliers of goods or services whose details are already in the public domain.

A few days after Barts Health learnt about the theft, they discovered our data was included and informed us. We’ve been working at pace, seven days a week, to identify those who have been affected. We will contact directly those who are most at risk.

We’re taking steps with Barts Health and our suppliers to try to ensure it doesn’t happen again.

No information has been published on the general internet and the information can only be retrieved by those who can access compressed files on the encrypted dark web. These details don’t give direct access to anyone’s accounts but could be used to trick someone into sharing sensitive information or into making payments.

No clinical systems at our Trust have been affected, including our new electronic patient record that we introduced last month.

If you have any concerns or questions, please contact our Information Governance team.

For help on protecting your data please visit Stop! Think Fraud - How to stay safe from scams.