Oracle Health breach compromises patient data at US hospitals

A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.

Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed that patient data was stolen in the attack.

Oracle Health, formerly known as Cerner, is a healthcare software-as-a-service (SaaS) company offering Electronic Health Records (EHR) and business operations systems to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud.

In a notice sent to impacted customers and seen by BleepingComputer, Oracle Health said it became aware of a breach of legacy Cerner data migration servers on February 20, 2025.

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” reads a notification sent to impacted Oracle Health customers.

Oracle says that the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. This stolen data “may” have included patient information from electronic health records.

However, multiple sources told BleepingComputer that it was confirmed that patient data was stolen during the attack.

Oracle Health is also telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPPA laws and whether they are required to send notifications.

However, the company says they will help identify impacted individuals and provide templates to help with notifications.

It is unclear if ransomware was deployed in the attack or if it was purely data theft, with BleepingComputer told that the details of the attack were not shared with customers.

BleepingComputer first contacted Oracle Health about this incident on March 4th but received no responses to our questions.

Customers concerned about response

While the breach and theft of patient data have become a nightmare for the impacted organizations, BleepingComputer was told that Oracle’s lack of transparency has also been extremely frustrating.

In conversations with numerous sources, BleepingComputer learned that all formal communication was sent on plain paper rather than Oracle letterhead, nor has the company formerly acknowledged the breach as expected.

The notification seen by BleepingComputer was not on official letterhead but was signed by Seema Verma, the Executive Vice President & GM of Oracle Health.

Furthermore, rather than providing written reports, Oracle Health has reportedly directed customers to communicate only with its Chief Information Security Office (CISO) over the phone and not via email.

This approach has left hospitals without proper documentation or clear guidance on responding to the security breach.

While Oracle Health has agreed to pay for credit monitoring services and the mailing vendor for patient notification, BleepingComputer was told the company is not willing to send it on behalf of the impacted hospitals.

The disclosure of this incident comes soon after reports of an alleged breach of Oracle Cloud’s federated SSO login servers, in which a threat actor claimed to steal the LDAP authentication data for 6 million people. As proof of the attack, the threat actor shared an archived copy of a file uploaded to one of Oracle’s login servers that contained their email address.

While Oracle denied that it had suffered a breach, BleepingComputer was told that samples of the stolen data shared with customers were confirmed to be valid.