Barts Health NHS Trust v Persons Unknown

This is a without notice pre-action application for an injunction. It is brought against a Defendant or Defendants whose identities are unknown and who have perpetrated a cyberattack upon the Claimant NHS Trust’s IT systems. I will call them the Defendants. Through the cyberattack, the Defendants have exfiltrated certain confidential information and have made it available on the dark web.

This application is being heard on a day when I am the Court 37 and Out of Hours judge. As a result, this judgment will be relatively brief. However, I have had a full opportunity to read the skeleton argument, witness statement, exhibit, draft order, and key authorities that I need to read.

The relief that is sought is an order requiring the Defendant (i) not to use, publish, communicate or disclose the exfiltrated Information to any other person, (ii) to make no further attempts to obtain documents or data from the Trust’s IT systems, (iii) to deliver up and/or delete and/or destroy the Information in their possession, custody or control, and (iv) to identify themselves to the Trust’s solicitors and provide a witness statement.

It has also been necessary for me to consider whether to hear this application without notice, whether to do so in private, and whether this is an appropriate case in which to give relief against persons unknown. Further, I have been asked to ensure that certain confidential details relating to this case are not made public, in this judgment or elsewhere, and that restrictions are placed on the court file.

I have been assisted by reading Synnovis Services LLP v Persons Unknown[2024] EWHC 2127 (KB), in which Stacey J had to deal with very similar issues to those in this case, and also the cases cited therein, especially the judgment of Ritchie J in Armstrong Watson v Persons Unknown [2023] EWHC 762 (KB). I have further reminded myself of the helpful guidance given as regards the principle of open justice by Nicklin J in PMC v A Local Health Board [2024] EWHC 2969 (KB) at paragraphs 26-37. An appeal against that judgment to the Court of Appeal was successful, but this guidance is nonetheless relevant, and the Court of Appeal did not cast doubt on Nicklin J’s general statement of the law relating to open justice: see [2025] EWCA Civ 1126, at paragraph 24. I have also reminded myself that it is necessary to consider whether any derogation from open justice is justified as being strictly necessary both by reference to common law principles and by reference to the relevant articles of the ECHR, as I said in XY v AB [2025] EAT 66.

The Claimant Trust has been represented by Mr Robin Hopkins of Counsel. I am very grateful to Mr Hopkins for his clear and concise submissions.

The facts are set out in the witness statement of an employee of the Trust, whom I will call Witness A. I do not propose to name the witness because I am persuaded that it would be wrong to do so, primarily because of the risk that the witness might be made subject to reprisals from the Defendants or their associates.

It is only necessary to summarise the facts in broad terms. They are set out in Witness A’s witness statement and exhibits. I take the summary largely from the Trust’s skeleton argument.

The Cyberattack was perpetrated on the Trust’s IT systems over the period August-September 2025. It appears likely – though there is no way this can be established conclusively – that it was perpetrated by a well-known criminal cyberattack and ransomware group known as “CL0P” (whom the Claimant calls the “Threat Actor”). The Cyberattack was carried out by the exploitation of a business management application of Oracle Corporation UK Limited (“Oracle”), the Oracle Business E-Suite, which is a financial system for invoicing, accounts payable and general ledger requirements. The evidence suggests this was part of, or mirrored, a wider wave of attacks on a number of organisations around the world, deploying the same attack methodology. Once Oracle discovered the vulnerability that the Threat Actor had exploited, it alerted its customers to the necessary patching steps on 6 October 2025. The Trust acted promptly to apply the patch.

In the interim, the Threat Actor sent a ransom demand to NHS England on 29 September 2025, indicating that they were “CL0P”. That demand was an obvious attempt at extortion and blackmail. The nature of the systems and data affected by the attack referred to in those emails was not clear. On advice, and in accordance with a wider public sector policy of not engaging with ransom attackers, NHS England did not communicate with the Threat Actor, but instead liaised with the relevant policing and cybersecurity authorities.

On 13 November 2025, all or the substantial majority of the Information was published on the dark web, where it has been made available at one location, from which it has been downloaded by a limited number of parties.

On 14 November 2025, the Trust was alerted to the fact that the Information was its data. The Trust promptly commenced its investigations into this matter, including liaising with NHS England, police authorities and the National Crime Agency. The Trust’s investigation work continues, as does its evaluation of any necessary and appropriate steps for communicating with the individuals whose data is contained in the Information (the “Compromised Data Subjects”).

The Information relates to patients of the Trust and also to patients of Barking, Havering and Redbridge University Hospitals NHS Trust (“BHRUT”), for whom the Trust acted as a data processor in respect of certain payment processes. The Information is particularised in Witness A’s statement, but in broad terms it concerns payments, and is not patient or medical data in the wide sense.

In common with NHS England’s approach, the Trust has not contacted the Threat Actor. The Trust has no realistic way of preventing further misuse of the Information, absent an order from the Court. The Trust issued its application for an injunction on 4 December 2025 (19 days after it was informed of the Cyberattack and the exfiltration of the Information).

This application has been made before the claim form has been issued. I am satisfied that the application should proceed on this basis, given its importance and the urgency. The Claimant is required to, and does, undertake to issue the claim form immediately: CPR 25.8(2).

The first issue is whether, exceptionally, the hearing should take place in private. I have decided that it should. The general rule, of course, is that a hearing should be in public. See CPR 39.2(1). A hearing in private is a derogation from open justice. I bear in mind the fundamental principle of open justice, both at common law and in accordance with Art 6 of the ECHR, and of the importance of freedom of expression. I am satisfied that in the circumstances of this case, it is strictly necessary to proceed in private because publicity would defeat the object of the hearing (CPR 39.2(3)(a)) and because publicity would damage the confidentiality with which this hearing is concerned (CPR 39.2(3)(c)). A public hearing would run the inescapable risk of making public details of the Cyberattack and its consequences, and may also give rise to the identification of witness A. Importantly, publication may assist those who were minded to exploit the information that was obtained in the Cyberattack. On the evidence before me, the Defendants appear to have been engaged in criminal activity and they have no overriding countervailing rights which override the necessity for a private hearing. As this is a hearing without notice, there is no restriction on the Defendants’ freedom of speech.

It is now well-established that it is appropriate for the court to sit in private to deal with an application relating to theft of confidential information and blackmail (see Armstrong Watson, paragraph 18 and the cases referred to therein), though each case must considered on its own merits.

I am also satisfied that there are overwhelmingly strong reasons to proceed without notice to the Defendants, pursuant to CPR 25.3(2). There is very strong evidence before me that the Defendants, whoever they are, are criminals who are seeking to blackmail and to extort and to cause harm to a Health Trust and to its patients to achieve their aims. The aim of this application is to obstruct their criminal enterprise and to limit its adverse effects. Nor would any purpose be served by adjourning to give the Claimant an opportunity to identify the Defendants. There is a real risk that if the Defendants became aware that the Claimants were on their trail, they would retaliate by taking steps to cause further harm to the Trust. At the very least, it may give them an opportunity to cover their tracks, and it would alert them to the steps that the Claimant has been taking to respond to the breach of confidential information. Even if the Claimant were given notice, it is wholly unrealistic to think that they would attend. In the circumstances, there are compelling reasons why the Defendants should not be notified, and so the requirements for proceeding in the Defendants’ absence under section 12(2)(b) of the Human Rights Act 1998 are met (if they apply: see Armstrong Watson, paragraph 12).

The Claimant is aware of its obligation of full and frank disclosure, and has complied with it, and Mr Hopkins has sought to draw to my attention such arguments as there may be that the Defendants may argue in opposition to the injunction. Frankly, in light of the evidence before me, they do not amount to very much. I am satisfied that the Claimant has addressed points that might have been raised by the Defendants had they been present and represented.

There will be a return date, on 14 January 2026.

I am also satisfied that, pursuant to section 11 of the Contempt of Court Act 1981 and CPR 5.4C(4), the court file should be restricted so that non parties would have to make an application to the court for access to the claim documents, and that I should make the order in paragraph 13 of the draft order for confidentiality measures to apply in the event that any of the hearing papers need to be provided to third parties for the purposes of giving effect to any order the Court may make. These too are strictly necessary for the same reasons as are the reasons for a private hearing.

Furthermore, the restrictions will be proportionate. The Claimant does not seek anonymity. Subject to a check that will be made at the end of this judgment, the order and judgment itself will, subject to a proviso, not be confidential. Also, Mr Hopkins’s skeleton argument will not be confidential. The proviso is that there are confidential schedules to the order which it is necessary to keep confidential because otherwise Witness A’s name would be made public and because confidential schedule 2 contains information that might assist the Threat Actors or those seeking to exploit the misuse of confidential information.

The cause of action relied upon by the Claimants is breach of confidence (see Armstrong Watson at paragraph 35 and Imerman v Tchenguiz [2010] EWCA Civ 908, at paragraphs 55-58). The confidential information was not publicly accessible. The data relating to the patients, even though not medical in nature, plainly has the necessary quality of confidence and/or there is a reasonable expectation that the information is confidential or private. It is also commercially sensitive.

At the heart of the relief sought by the Trust is interim relief under CPR 25.1(1)(a) requiring the Defendant not to publish or disseminate the Information (Draft Order §7(a)). The Trust also seeks an “anti-hacking” order (§7(b)) and orders for “unmasking”, delivery up and the provision of a confirmatory witness statement (§§8-9).

The Claimants have given the appropriate and necessary undertakings to serve documents in the manner that is provided for in the order, and to satisfy the cross-undertaking as to damages, should that become necessary. There is provision for a suitable return date. As I have said, the Claimants have recognised and complied with their obligations of full and frank disclosure.

Applying the test for the grant of interim relief in American Cyanamid v Ethicon [1975 AC] 396 and in section 12(3) of the Human Rights Act 1998, the first question is whether the Claimant’s evidence demonstrates a serious issue to be tried, subject to the qualification that, if the Human Rights Act is engaged, and as the interim relief might affect the exercise of freedom of expression, it should only be granted if the court is satisfied that the Claimant is likely, that is more likely than not, to establish that the publication of the information in question should not be allowed. I will assume, in the Defendants’ favour, that the Human Rights Act is engaged. In my judgment, on the evidence before me, this requirement has clearly been satisfied. There is very strong evidence that the Defendants have misused confidential and private information in the course of a cyberattack with the intention of profiting from the crime of blackmail. This is extortion.

I have considered whether the Defendants have any possible defence or justification. I am satisfied that they do not. There is clear evidence that they have hacked into the Claimant’s systems in order to exfiltrate confidential information with a view to publishing it, or threatening to publish it, for profit. On the basis of the evidence before me, any argument by the Defendants that the information is no longer confidential would be hopeless, given that, to the extent that the information has been disseminated, this has been by the Defendants themselves on the dark web as a result of an unlawful cyberattack, and also given that, as yet, the dissemination appears to have been limited. There can be no possible argument on behalf of the Defendants that they have protectable rights in the matter, whether under the ECHR or at common law. There is no possible argument that there is a public interest in the publication of the confidential information. There has been no significant delay, especially given the difficult tactical choices that faced the Claimant since the fact that the breach affected them came to light on 14 November 2025.

The second issue is whether damages would be an adequate remedy. It is self- evident that they would not. The aim here is primarily the protection of the Compromised Data Subjects and in particular their confidentiality and privacy rights, and the Defendant would not respect any damages award in any event.

The third issue is whether the balance of convenience favours injunctive relief. I have no doubt that it does. In Armstrong Watson at paragraph 31, and in Synnovis at paragraph 20, the courts rejected as wholly misconceived any argument that injunctive relief should not be granted because the Defendants may not be minded to comply with the order.

The Claimant also seeks a mandatory delivery up injunction. The terms in which this is sought are reasonable and proportionate: see Armstrong Watson at paragraphs 48-49 and Synnovis at paragraph 18. I bear in mind that this is a mandatory injunction, but in my judgment, the requirements, as set out in paragraph 47 of Armstong Watson, are met.

The order also seeks a requirement that the Defendants must identify themselves. This is an appropriate additional order to make: the Defendants’ actions appear unlawful and it appears that they are seeking to hide behind a cloak of anonymity, the name CL0P. If this is an organisation, it has no legal identity. It is clear that, in circumstances such as this, an “unmasking” order is appropriate. See Armstrong Watson at paragraph 49, PML v Persons Unknown [2018] EWHC 838 (QB) at paragraph 17, and Synnovis at paragraph 18.

In addition, the Claimants seek an order of the type that is often known as an anti-hacking injunction, which is designed to prevent further unauthorised access of the Claimant’s IT systems by the Defendant. It is plainly just and convenient to make such an order, which is similar to the one that was made in Synnovis (see Synnovis, paragraph 19).

Accordingly, I grant the injunction and ancillary orders in the terms sought.

The final issue is the method of service of the claim form, order and other documents, in a suitable redacted form.

I grant permission for service outside the UK and by means of the email addresses provided by the Threat Actor in their email correspondence with NHS England of 29 September 2025. It is likely that the Defendants are abroad. It is likely that service via the email address that they have themselves provided will reach them.

I have taken account of CPR 6.37(1), which states:

“(1)

An application for permission under rule 6.36 [for service out of the jurisdiction] must set out –

(a)

which ground in paragraph 3.1 of Practice Direction 6B is relied on;

(b)

that the claimant believes that the claim has a reasonable prospect of success; and

(c)

the defendant’s address or, if not known, in what place the defendant is, or is likely, to be found.”

I have also considered the guidance given by Nicklin J in Chirkunov v Persons Unknown [2024] EWHC 3177 (KB) at [64] and [66]-[76], and the extensive review of the authorities that is set out by Ritchie J in Armstrong Watson at paragraphs 20-31. The tests for service outside the jurisdiction are met in this case. In Synnovis at paragraph 23, Stacey J said:

“The breach of confidence gateway applies; the claim has a reasonable prospect of success; and England and Wales is the proper place in which to bring this claim. The claimant is based in England. Even if the defendant(s) is or are outside of this jurisdiction, once they have been validly served they will be within the reach of the Court and may be restrained from acts both within the jurisdiction and more widely.”

These observations apply equally to the present case.

I will therefore make each of the orders that has been sought by the Claimant.