Fertility data incident
Dear patient,
We are contacting you because a recent incident involving data from our trust poses a risk that some of your personal data may be compromised. A criminal group known as Cl0p stole files containing invoices belonging to Barts Health NHS Trust and posted them on the dark web.
We are taking this extremely seriously and working closely with the Metropolitan Police and other cyber-crime authorities to investigate the full extent of the theft. We have reported this incident to our regulator – the Human Fertilisation and Embryology Authority.
We obtained a High Court order banning the disclosure, use or sharing of any data that was illegally obtained. The theft took place in August although this only recently came to light when some material was put on the dark web.
As yet no stolen data is on the general internet. Nevertheless, we are getting in touch with everyone who is listed as a customer in the database in case their privacy is breached.
As a patient who paid for fertility treatment or services at one of our hospitals, or is liable to pay, your name and address is included on the database, together with the invoice we sent you at the time. You can check what information may be accessible by referring to your own copy.
Please note that our electronic patient record and clinical systems are not affected, and we are confident our own IT infrastructure is secure.
The criminals exploited a loophole in the Oracle E-business software (which automates key business processes) that has impacted many organisations across the world, and Oracle has since corrected.
These details do not allow direct access to your accounts but could be used by criminals to trick people into sharing sensitive information or making payments.
For help on protecting your data, visit Stop! Think Fraud - How to stay safe from scams.
If you have any concerns, or wish to arrange for further support by the way of counselling please contact the Trust’s data protection officer. We can offer support and pass information to the police if you wish.
If you are approached by anyone claiming to have access to your personal data, please do contact the Metropolitan Police by phoning 101 and quote the crime reference number for this incident: NCCUTIC-22160.
We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again. We issued a public statement about the theft which you can read on our website.
Kind regards,
Rebecca Carlton, group chief operating officer
Ann Hepworth, group chief strategy officer