A breach at Oracle Well being impacts a number of US healthcare organizations and hospitals after a menace actor stole affected person information from legacy servers.
Oracle Well being has not but publicly disclosed the incident, however in personal communications despatched to impacted clients and from conversations with these concerned, BleepingComputer confirmed that affected person information was stolen within the assault.
Oracle Well being, previously often known as Cerner, is a healthcare software-as-a-service (SaaS) firm providing Digital Well being Information (EHR) and enterprise operations programs to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Well being, with its programs migrated to Oracle Cloud.
In a discover despatched to impacted clients and seen by BleepingComputer, Oracle Well being stated it grew to become conscious of a breach of legacy Cerner information migration servers on February 20, 2025.
“We’re writing to tell you that, on or round February 20, 2025, we grew to become conscious of a cybersecurity occasion involving unauthorized entry to some quantity of your Cerner information that was on an previous legacy server not but migrated to the Oracle Cloud,” reads a notification despatched to impacted Oracle Well being clients.
Oracle says that the menace actor used compromised buyer credentials to breach the servers someday after January 22, 2025, and copied information to a distant server. This stolen information “might” have included affected person info from digital well being data.
Nevertheless, a number of sources advised BleepingComputer that it was confirmed that affected person information was stolen through the assault.
Oracle Well being can be telling hospitals that they won’t notify sufferers straight and that it’s their duty to find out if the stolen information violates HIPPA legal guidelines and whether or not they’re required to ship notifications.
Nevertheless, the corporate says they are going to assist determine impacted people and supply templates to assist with notifications.
It isn’t identified if ransomware was deployed within the assault or if it was purely information theft, with BleepingComputer advised that the small print of the assault weren’t shared with clients.
Moreover, it’s unclear how a buyer’s credentials might have allowed the theft of information from a number of organizations.
BleepingComputer first contacted Oracle Well being about this incident on March 4th however acquired no responses to our questions.
Prospects involved about response
Whereas the breach and theft of affected person information have grow to be a nightmare for the impacted organizations, BleepingComputer was advised that Oracle’s lack of transparency has additionally been extraordinarily irritating.
In conversations with quite a few sources, BleepingComputer discovered that every one formal communication was despatched on plain paper reasonably than Oracle letterhead, nor has the corporate previously acknowledged the breach as anticipated.
The notification seen by BleepingComputer was not on official letterhead however was signed by Seema Verma, the Govt Vice President & GM of Oracle Well being.
Moreover, reasonably than offering written experiences, Oracle Well being has reportedly directed clients to speak solely with its Chief Info Safety Workplace (CISO) over the cellphone and never by way of electronic mail.
This strategy has left hospitals with out correct documentation or clear steerage on responding to the security breach.
Whereas Oracle Well being has agreed to pay for credit score monitoring providers and the mailing vendor for affected person notification, BleepingComputer was advised the corporate isn’t prepared to ship it on behalf of the impacted hospitals.
The disclosure of this incident comes quickly after experiences of an alleged breach of Oracle Cloud’s federated SSO login servers, through which a menace actor claimed to steal the LDAP authentication information for six million individuals. As proof of the assault, the menace actor shared an archived copy of a file uploaded to one in every of Oracle’s login servers that contained their electronic mail handle.
Whereas Oracle denied that it had suffered a breach, BleepingComputer was advised that samples of the stolen information shared with clients have been confirmed to be legitimate.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.
