The number of individuals affected by a data breach at Oracle Health (formerly Cerner Corporation) is becoming clearer. While the total number of affected individuals has yet to be disclosed, based on the breach notifications issued to state attorneys general, more than 14,480 individuals have been confirmed as affected, although the actual total is undoubtedly considerably larger.
While several states publish their breach notification letters, only a few disclose the number of affected individuals, such as Massachusetts, South Carolina, Texas, and Washington. In addition to those states, California has published a breach notice from Oracle Health, but California has not stated how many individuals were affected.
State |
Affected State Residents |
Massachusetts |
6,562 |
Texas |
4,082 |
South Carolina |
2,989 |
Washington |
802 |
California |
Unknown |
Total |
At least 14,485 individuals |
Oracle Health stated previously that it is the responsibility of each affected covered entity to determine if there has been a breach that requires reporting to the HHS’ Office for Civil Rights (OCR). As such, the affected covered entity clients are likely to report the breach themselves to OCR, which makes determining the number of affected individuals difficult.
April 21, 2025: CISA issues Security Alert for Customers Affected by Oracle Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert about the recently confirmed Oracle data breach. Oracle has confirmed that an unauthorized individual gained access to its legacy cloud environment, although limited details about the incident have been disclosed by Oracle, and the extent of the breach is currently unconfirmed. There have been reports of threat actor activity targeting Oracle customers, but the scope and impact of that activity are not yet known.
Information compromised in the incident includes credentials such as usernames, email addresses, passwords, authentication tokens, and encryption keys, and as such, the breach poses a risk to enterprise environments. CISA recommends that Oracle customers take steps to protect against unauthorized access and warns that when credential material has been embedded into scripts, applications, infrastructure templates, and automation tools, it can be hard to detect. Should action not be taken, unauthorized actors could potentially use credential material for long-term access to enterprise environments.
Breaches of credential material carry a risk, as threat actors frequently harvest and weaponize credentials. The stolen data can be enriched with information obtained in prior breaches, the information could be sold to other threat actors, and could be used to conduct BEC attacks or phishing campaigns. Valid credentials could be used to escalate privileges and move laterally within networks, or access cloud and identity management systems.
The suggested mitigations include resetting passwords across enterprise servers, especially in cases where local credentials may not be federated through enterprise identity solutions. Source code should be reviewed, along with infrastructure as code templates, configuration files, and automation templates, to identify embedded credentials, which should be replaced with secure authentication methods. Authentication logs should be monitored for anomalous activity, especially for privileged, service, or federated identity accounts, and if possible, phishing-resistant multifactor authentication should be implemented and enforced, especially for administrator accounts.
Oracle has stressed that the breach involved legacy servers and there was no breach of Oracle Cloud, but has yet to issue any public advisory to help customers mitigate risk.
April 15, 2025: Oracle Confirms Hacking Incident Involving Obsolete Servers
Oracle has issued notifications to customers about a security incident widely reported in the media, confirming that Oracle Cloud was not breached. Oracle explained in its April 7, 2025, email notification to customers that “Oracle would like to state unequivocally that the Oracle Cloud – Also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach.” Oracle also confirmed that “no OCR customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”
There was, however, a security incident involving legacy servers. Oracle said, “A hacker did access and publish user names from two obsolete servers that were never part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted or hashed. Therefore, the hacker was not able to access any customer environments or customer data.”
According to security researcher Kevin Beaumont, the “obsolete servers” were Gen1, aka Oracle Cloud Classic, a different platform from Oracle Cloud, but they were Oracle-managed cloud services. Beaumont suggested Oracle is engaging in wordplay regarding its breach notifications and questioned why two obsolete servers containing data could still be accessed. Oracle’s response relates to a claim by a threat actor – rose87168 – who is attempting to sell 6 million data records, including LDAP display names, email addresses, given names, hashed passwords, and other information.
There was also a separate incident involving Oracle Health, formerly Cerner. The Oracle Health incident involved a hacker named “Andrew” who is reportedly attempting to extort Oracle Health customers and is demanding millions of dollars in cryptocurrency to prevent the publication of stolen data. The Federal Bureau of Investigation is investigating, but does not divulge information about ongoing investigations.
The Oracle Health security incident also involved legacy servers, in this case, older servers from the electronic health record company Cerner. Those servers had not yet been migrated to Oracle Cloud. Oracle said stolen credentials were used to access those servers on or around January 22, 2025. The security incident was identified on or around February 20, 2025. The number of individuals affected and the types of data involved have yet to be confirmed, but they are likely to include information typically found in medical records.
Another lawsuit has been filed against Oracle Health in relation to the breach. This lawsuit was filed in the U.S. District Court for the Western District of Missouri and claims a hacker stole sensitive information, including names, Social Security numbers, clinical test results, and other protected health information. The lawsuit claims Oracle Health was negligent by failing to secure servers after the $28.3 billion acquisition of Cerner in 2022.
The two named plaintiffs, Rebecca Blount and Cheryl McCulley, maintain they were not informed about the data breach by Oracle Health, and say they now face an increased and ongoing risk of identity theft and fraud and have incurred costs protecting themselves against the misuse of their data. In addition to damages, the lawsuit seeks injunctive relief, including an order from the court for Oracle Health to improve security and operate with greater transparency in the future.
Oracle Health explained in its notifications to its healthcare provider customers that it is their responsibility to determine if a breach occurred that is reportable under HIPAA, and also their responsibility to issue breach notifications to the affected individuals if they determine a reportable breach occurred.
April 3, 2025: Oracle Sued Over Healthcare Data Breach
A class action lawsuit has been filed against Oracle Corporation by a Florida resident in the U.S. District Court for the Western District of Texas over a January 2025 data breach. Oracle has yet to publicly confirm that there has been a data breach, and the incident has yet to appear on the breach portal of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), so it is currently unclear how many individuals have been affected.
The lawsuit, filed by the law firm Shamis & Gentile, names Michael Toikach as plaintiff and was filed on behalf of other similarly situated individuals who had their personal data compromised in the incident. The plaintiff claims that his personal and health information was stored by Oracle via a healthcare provider that used Oracle’s software. The lawsuit alleges Oracle failed to implement reasonable and industry-standard data security practices to properly store, safeguard, and adequately destroy the sensitive data it received and stored for business purposes, and as a result of the data security failures, fell victim to a cyberattack and data breach. Specifically, the lawsuit claims that Oracle had inadequate network segmentation, insufficient staff cybersecurity training, and a lack of monitoring and alert systems.
That breach occurred on or around January 22, 2025, and was discovered by Oracle on February 20, 2025. The lawsuit takes issue with the lack of notifications, which under the HIPAA Breach Notification Rule should be issued without undue delay and no later than 60 days from the date the data breach was discovered. There is also a data breach notification statute in Texas, which the lawsuit claims has been violated. Akin to HIPAA, under the Texas statute, notifications must be issued without undue delay and no later than the 60th day following the discovery of a data breach.
The lawsuit claims the delay in issuing notifications, combined with the lack of transparency about the data breach, has deprived the plaintiff and class members of the information they need to mitigate risks and exposure. Since sensitive personal and health data were compromised in the incident, the plaintiff and class members claim to face an increased and ongoing risk of identity theft and fraud, with the elevated risk likely to last for years to come.
The lawsuit asserts claims of negligence, negligence per se, breach of third-party beneficiary contract, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, compensatory damages, reimbursement of out-of-pocket losses, and long-term credit monitoring services. The lawsuit also seeks injunctive relief, requiring Oracle to implement a long list of security measures, including data encryption, regular penetration tests, third-party security audits, automated security monitoring, and enhancements to its security awareness training program.
March 31, 2025: Oracle Health Breach Affects Patients of Multiple U.S. Hospitals
Oracle appears to have suffered two security incidents, one of which involved data stored by Oracle Health related to the electronic health record (EHR) company Cerner. Oracle Health is a provider of health information technology to hospitals. In December 2021, Oracle announced it had reached an agreement to buy Cerner Corporation, an EHR vendor. The deal was closed in June 2022, and Cerner became Oracle Health.
Oracle Health has yet to make a public announcement about the cyberattack and data breach, but has started notifying the affected healthcare providers that their data has been compromised. Details are scant at this stage, as Oracle Health did not disclose details of the incident to the affected healthcare providers in its breach notifications. According to Bleeping Computer, which has been in touch with some of the affected healthcare provider clients, the notification letters advise that Oracle Health detected the security breach on February 20, 2025, and the forensic investigation confirmed that the breach occurred on or after January 22, 2025. Oracle Health said an unknown threat actor accessed a legacy server using stolen credentials and exfiltrated data.
The types of data involved are unclear but appear to include data contained in electronic health records, which would make it a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA). Oracle Health has reportedly told the affected providers that the company will help by identifying the affected individuals and the types of data involved, will cover the cost of complimentary credit monitoring and identify theft protection services, can provide templates for breach notification letters; however, said it is the responsibility of each affected healthcare provider to determine if there has been a HIPAA breach and for them to issue notification letters to the affected individuals if that is the case.
Under the HIPAA Breach Notification Rule, in the event of a breach of unsecured protected health information, the U.S. Department of Health and Human Services must be notified about a data breach without undue delay and no later than 60 days from the date of discovery of the data breach. Individual notification letters must also be mailed within the same time frame, and if the breach affects 500 or more individuals, a notice must be provided to prominent media outlets serving the state or jurisdiction where the affected individuals reside.
When a data breach is experienced by a business associate of a HIPAA-regulated entity, the business associate must notify the affected covered entity clients without undue delay and no later than 60 days from the date of discovery of a data breach, as appears to have been the case here. It is the responsibility of the affected covered entities to ensure that notification letters are mailed to the affected individuals within 60 days, and the clock starts ticking when they receive notification from their business associate. Each covered entity is permitted under HIPAA to delegate the responsibility of issuing notification letters to the business associate, although ultimately it is the responsibility of each affected HIPAA-covered entity to ensure those notifications are issued.
The Oracle Health notification letters were reportedly signed by Seema Verma, Executive Vice President & GM of Oracle Health; however, the letters were not sent on headed paper, and the affected customers have been told to contact Oracle Health’s Chief Information Security Office (CISO) directly over the phone, not via email. This suggests Oracle is trying to avoid any association with the breach of legacy Cerner data migration servers.
It is unclear if ransomware was used, but data was exfiltrated and is being used in extortion attempts against the affected providers. Some of those providers have reportedly received ransom demands from a threat actor called “Andrew” who claims he is not affiliated with any known ransomware group. The threat actor is threatening to leak the stolen data if payment is not made.
In what appears to be a separate incident, another individual claims to have exploited a vulnerability around a month ago and accessed an Oracle Cloud server and exfiltrated approximately 6 million records. A person using the name rose87168 said she obtained SSO authentication data and encrypted LDAP passwords, which she claims could be decrypted using information in the stolen files. The vulnerability she allegedly exploited was CVE-2021-35587 and affects Oracle Access Manager.
Representatives from several companies allegedly affected by the incident have confirmed to Bleeping Computer that the sample of stolen data contains genuine information associated with their accounts. CloudSEK researchers reviewed the data provided by rose87168 and concluded with medium confidence that it rates high in severity and involved more than 140,000 customers who use Oracle Cloud services. Oracle Cloud maintains that there was no breach of Oracle Cloud and none of the published credentials are for Oracle Cloud, but it has not provided any official explanation.
The post At Least 14,485 Individuals Known to be Affected by Oracle Health/Cerner Data Breach appeared first on The HIPAA Journal.