A recent security breach at Oracle Health has led to the theft of patient data from legacy servers, impacting multiple U.S. healthcare organizations and hospitals.
The incident, which has not been publicly disclosed by Oracle Health, was confirmed through private communications with affected customers and sources involved in the investigation.
Formerly known as Cerner, Oracle Health provides Electronic Health Records (EHR) and other healthcare software solutions. The breach reportedly occurred when a threat actor used compromised customer credentials to access legacy Cerner data migration servers sometime after January 22, 2025.
Oracle Health detected the unauthorized access on February 20, 2025, confirming that data had been copied to a remote server. While the company initially stated that patient data “may” have been compromised, sources confirmed to BleepingComputer that sensitive information was indeed stolen.
Oracle Health has placed the responsibility of notifying affected patients on the hospitals, stating that they must determine if the breach violates HIPAA regulations. Although Oracle has offered assistance in identifying impacted individuals and providing notification templates, it has refused to send notifications on behalf of hospitals. Additionally, the company has been criticized for its lack of transparency, as official communications were not on Oracle letterhead, and customers were instructed to discuss the incident only via phone calls rather than written reports.
The breach follows recent allegations of an attack on Oracle Cloud’s federated SSO login servers, where a threat actor claimed to have stolen authentication data for six million users. While Oracle denied the breach, leaked samples of the data were reportedly verified as authentic.
