Oracle Health Breach Affects Patients of Multiple U.S. Multiple Hospitals (2025)

Posted By Steve Alder on Mar 31, 2025

Oracle appears to have suffered two security incidents, one of which involved data stored by Oracle Health related to the electronic health record (EHR) company Cerner.Oracle Health is a provider of health information technology to hospitals. In December 2021, Oracle announced it had reached an agreement to buy Cerner Corporation, an EHR vendor. The deal was closed in June 2022, and Cerner became Oracle Health.

Oracle Health has yet to make a public announcement about the cyberattack and data breach, but has started notifying the affected healthcare providers that their data has been compromised. Details are scant at this stage, as Oracle Health did not disclose details of the incident to the affected healthcare providers in its breach notifications.According to Bleeping Computer, which has been in touch with some of the affected healthcare provider clients, the notification letters advise that Oracle Health detected the security breach on February 20, 2025, and the forensic investigation confirmed that the breach occurred on or after January 22, 2025. Oracle Health said an unknown threat actor accessed a legacy server using stolen credentials and exfiltrated data.

The types of data involved are unclear but appear to include data contained in electronic health records. Oracle Health has reportedly told the affected providers that the company will help by identifying the affected individuals and the types of data involved, will cover the cost of complimentary credit monitoring and identify theft protection services, can provide templates for breach notification letters; however, said it is the responsibility of each affected healthcare provider to determine if there has been a HIPAA breach and issue notification letters to the affected individuals.

The Oracle Health notification letters were reportedly signed by Seema Verma, Executive Vice President & GM of Oracle Health; however, the letters were not sent on headed paper, and the affected customers have been told to contact Oracle Health’s Chief Information Security Office (CISO) directly over the phone, not via email. This suggests Oracle is trying to avoid any association with the breach of legacy Cerner data migration servers.

It is unclear if ransomware was used, but data was exfiltrated and is being used in extortion attempts against the affected providers. Some of those providers have reportedly received ransom demands from a threat actor called “Andrew” who claims he is not affiliated with any known ransomware group. The threat actor is threatening to leak the stolen data if payment is not made.

In what appears to be a separate incident, another individual claims to have exploited a vulnerability around a month ago and accessed an Oracle Cloud server and exfiltrated approximately 6 million records. A person using the name rose87168 said she obtained SSO authentication data and encrypted LDAP passwords, which she claims could be decrypted using information in the stolen files. The vulnerability she allegedly exploited was CVE-2021-35587 and affects Oracle Access Manager.

Representatives from several companies allegedly affected by the incident have confirmed to Bleeping Computer that the sample of stolen data contains genuine information associated with their accounts. According to CloudSEK, whose researchers reviewed the data provided by rose87168, concluded with medium confidence that it rates high in severity and involved more than 140,000 customers who use Oracle Cloud services. Oracle Cloud maintains that there was no breach of Oracle Cloud and none of the published credentials are for Oracle Cloud, but has not provided any official explanation.