Oracle Health a subsidiary of Austin, Texas-based tech giant Oracle, suffered a health data breach that potentially exposed the sensitive information of patients.
Kansas, Missouri-based Oracle Health is a software-as-a-service (SaaS) firm providing Electronic Health Records (EHR) and business management information systems for various healthcare providers. In 2022, Oracle acquired the health subsidiary, previously known as Cerner Corp., for $28 billion and promised to modernize its legacy software.
While Oracle has yet to publicly acknowledge the Oracle Health data breach, impacted hospitals have received private notification letters, and the FBI has launched an investigation.
Oracle secretly confirms health data breach
Oracle said the data breach occurred around January 22, 2025, and affected a legacy server yet to be migrated to Oracle Cloud.
“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” the company stated.
The data breach letters say the attacker leveraged stolen credentials and exfiltrated data that potentially included patient health information extracted from electronic health records.
The tech giant is reportedly in communication with affected hospitals, which it promised to help identify impacted patients. However, Oracle reportedly said it will not directly notify impacted patients but would provide notification templates.
Additionally, the affected healthcare organizations must figure out on their own if the compromised patient data included HIPAA protected health information and make necessary notifications.
Subsequently, cybersecurity experts have slammed the Oracle’s handling of the potential health data breach, which does not particularly inspire confidence, especially for such a high-profile tech company.
Meanwhile, the Federal Bureau of Investigation (FBI) has reportedly taken up an investigation into the Oracle Health data breach after a threat actor demanded millions of dollars in cryptocurrency as ransom.
So far, the threat actor’s identity and the nature of the cybersecurity incident remain undetermined or unreported.
While Oracle seemingly seems determined to sweep the data breach under the rug, a significant health data breach of this magnitude could compel the tech giant to pay the ransom to secure the patient health data from eventual publication.
Nonetheless, ransom payment does not guarantee that the threat actor will not attempt to extort the company again or avoid selling the sensitive health data to other threat actors.
So far, it remains unclear how many healthcare organizations and patients were affected by the alleged Oracle Health data breach.
Second data breach after Oracle Cloud incident
The Oracle Health data breach revelation occurred hot on the heels of another cybersecurity incident affecting the Texas-based tech colossus involving the compromise of login credentials from Oracle’s Cloud federated SSO servers.
The incident became public knowledge after a threat actor claimed to have stolen SSO and LDAP passwords from more than 140,000 domains that could be decrypted.
Nonetheless, Oracle responded by denying the allegation, claiming there was no breach to its cloud infrastructure and no customer information was affected.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, cybersecurity experts have given contradicting assessments, which point to Oracle Cloud having been breached and leaking sensitive information. CloudSEK, in particular, claims that the threat actor likely exploited an undisclosed vulnerability on Oracle Cloud.
Similarly, the threat actor claims to have exploited a critical Oracle Fusion middleware vulnerability, CVE-2021-35587, to gain access.
