A significant cybersecurity incident at Oracle Health has put the spotlight on data security within the healthcare industry. Multiple hospitals and healthcare organizations across the United States have been affected by a breach in which patient data was stolen from legacy servers. Oracle Health, formerly known as Cerner, has yet to make a public announcement regarding the incident; however, BleepingComputer confirmed the breach and theft of patient data through private communications with impacted customers and other involved parties. Oracle Health, a major player in the healthcare software-as-a-service (SaaS) sector, provides Electronic Health Records (EHR) and business operations systems to numerous hospitals and healthcare organizations. Following its acquisition by Oracle in 2022, Cerner was integrated into Oracle Health, with its systems undergoing migration to the Oracle Cloud. This transition period appears to have presented vulnerabilities that were exploited in the recent attack. According to a notice sent to impacted customers, Oracle Health became aware of the breach on February 20, 2025. The unauthorized access targeted legacy Cerner data migration servers that had not yet been fully migrated to the Oracle Cloud. The notification stated, "We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud." Oracle reports that the threat actor gained access to the servers using compromised customer credentials sometime after January 22, 2025, and proceeded to copy data to a remote server. While Oracle initially indicated that the stolen data "may" have included patient information from electronic health records, multiple sources have confirmed that patient data was indeed stolen during the attack. This discrepancy has fueled concerns about the transparency of Oracle's communication regarding the breach. Adding to the concerns, Oracle Health has informed hospitals that they will not be directly notifying patients about the breach. Instead, the responsibility falls on the hospitals to determine whether the stolen data triggers notification requirements under HIPAA laws. Oracle Health has offered to assist in identifying impacted individuals and providing notification templates, but the burden of direct communication remains with the healthcare providers. It remains unclear whether ransomware was deployed during the attack or if the incident was purely a case of data theft, as the details of the attack have not been fully disclosed to customers. The lack of transparency from Oracle has been a major source of frustration for the impacted organizations. Communications from Oracle Health have reportedly been sent on plain paper rather than official letterhead, and the company has not formally acknowledged the breach in a public statement. Furthermore, Oracle Health has allegedly directed customers to communicate solely with its Chief Information Security Office (CISO) over the phone, rather than providing written reports or email correspondence. This approach has left hospitals without adequate documentation or clear guidance on how to effectively respond to the security breach. While Oracle Health has agreed to cover the costs of credit monitoring services and the mailing vendor for patient notifications, the company is reportedly unwilling to send the notifications on behalf of the impacted hospitals. This reluctance has further strained the relationship between Oracle Health and its customers during a critical time. This incident follows reports of a separate alleged breach of Oracle Cloud's federated SSO login servers, where a threat actor claimed to have stolen LDAP authentication data for millions of users. Although Oracle denied that breach, samples of the stolen data shared with customers were confirmed to be valid, raising further questions about Oracle's overall security posture. The Oracle Health breach underscores the critical need for robust cybersecurity measures and transparent communication in the healthcare sector, where sensitive patient data is constantly at risk.
