Facing down extortion: NHS trusts and healthcare data
Barts Health NHS Trust v Persons Unknown [2025] EWHC 3230 (KB)
This judgment of Cavanagh J, sitting as the interim applications and Out-of-Hours judge on 8 December 2025, illustrates the circumstances where a court will grant a without-notice pre-action application for an injunction against persons unknown in circumstances where health-related data is compromised. The case illustrates how NHS Trusts should respond to shield data subjects from the consequences of digital extortion.
Background
Between August and September 2025, the Trust’s financial systems sustained a sophisticated cyberattack. Compromised data included payment-related information for patients of both Barts and Barking, Havering & Redbridge University Hospitals. Its systems were provided by Oracle. A ransom note was sent to NHS England on 29 September 2025.
The attacker identified itself as a group known as ‘CL0P’. CL0P is a ransomware gang which claims responsibility for exploiting the same Oracle vulnerability globally. Definitive attribution is impossible, so the court referred to the perpetrator as the ‘Threat Actor’.
NHS England, following its own policy, did not engage with the attackers. The Trust patched its systems promptly when Oracle issued guidance on 06 October 2025. However, the attackers published the exfiltrated data on the dark web on 13 November 2025. A limited number of downloads followed. The court accepted that these payment details were confidential, commercially sensitive, and capable of identifying individual patients.
The Trust sought an urgent injunction on 4 December. An employee referred to as Witness A provided witness evidence. Their identity was withheld to avoid reprisals.
Open Justice, Without-Notice Relief, and Persons Unknown
The court considered whether it was proper to proceed in private (with some documents to be kept confidential) and without notice:
- Private hearing. While a private hearing is a derogation from the principle of open justice, the court was satisfied that it was strictly necessary to proceed in private because publicity would defeat the object of the hearing (CPR 39.2(3)(a)) and would damage the confidentiality with which the hearing was concerned (CPR 39.2(3)(c)). A public hearing risked (a) exposing sensitive details about the cyberattack, (b) revealing Witness A’s identity, and (c) assisting the Threat Actor or others seeking to exploit the data. Neither common law principles nor the relevant articles of the ECHR prevented proceeding in private. [16]
- Confidentiality of the court file. For the same reasons, the court ordered that pursuant to section 11 of the Contempt of Court Act 1981 and CPR 5.4C(4), the court file should be restricted so that non-parties would have to make an application for access to the claim documents. Confidential schedules to the order were necessary to keep confidential because otherwise Witness A’s name would be made public. Additionally, it contained information that might assist the Threat Actors or those seeking to exploit the misuse of confidential information. [21-22]
- Hearing without notice. The court accepted that there were overwhelmingly strong reasons not to notify the Defendants: CPR 25.3(2). They engaged in blackmail and extortion. Notice would give them opportunities to retaliate, destroy evidence, or intensify the harm. Even if given notice, it was wholly unrealistic to think that they would attend. [17-20]
The substantive application for injunctive relief
The Trust sought (i) a prohibitory injunction preventing use or dissemination of the data, (ii) mandatory delivery-up and deletion orders, (iii) an “unmasking” order requiring the Defendants to identify themselves and provide a witness statement, and (iv) an anti-hacking order restraining further access attempts: [24] and [32].
The court applied American Cyanamid. There was plainly a serious issue to be tried: [26]. The court assumed that the Human Rights Act 1988 was engaged, triggering the stricter “likely to succeed” criterion under s.12(3) HRA 1998. The requirement was clearly satisfied. There was very strong evidence of misuse of private information with the intent of profiting from it: [27]. Damages would not be an adequate remedy: [28]. There was no doubt that the balance of convenience favoured injunctive relief: [29]. The prohibitory injunction was granted.
The Court also granted a mandatory delivery up injunction, the “unmasking” order, and the anti-hacking injunction in the terms sought: [30-32].
Service
The application was made before issue of the Claim Form: [15]. The court was satisfied that it could proceed given its importance and urgency, but as per CPR 25.8(2), the Claimant was required to issue the claim form immediately. In the circumstances of the case, where it was likely that the Defendants were outside of the UK and monitored the email address which made the ransom demand, permission was granted to serve court documents outside of the jurisdiction by email: CPR 6.37(1) ([34-37]).
Conclusion
NHS Trusts necessarily store enormous quantities of sensitive medical data and healthcare-related data, such as the payment data in this case. Trusts will continue to be targeted by hackers seeking to use that data to blackmail and extort. The consequences of a data breach for NHS Trusts can be of the utmost severity. In June 2024 a supplier of pathology services to the NHS fell victim to a cyber-attack which contributed to the death of a patient, in addition to over 11,000 postponed appointments and procedures. The Cyber Security and Resilience (Network and Information Systems) Bill, currently in the House of Commons ahead of its Committee Stage, was introduced partly as a result. The Bill will enable regulators to designate organisations as critical suppliers, including to the NHS. This will necessitate those suppliers to take robust cyber security measures.
If Trusts do suffer from further data breaches, they should use this judgment as a blueprint. Injunctions should be secured to limit the impact of such data breaches for their patients and the public purse.
