Oracle Health reportedly suffered a data breach earlier this year in which hospitals’ patient data were stolen from the company’s legacy servers.
The incident has not yet been reported by Oracle but was shared Friday by information security and technology news publication Bleeping Computer, which cited notices Oracle has sent to its hospital customers. That reporting has since been verified by Bloomberg News, whose source also said that the incident is being looked at by the Federal Bureau of Investigation.
Parent company Oracle deepened its healthcare presence in 2022 when it acquired Cerner and its electronic health records platform, which it then rebranded to Oracle Health. The company has been working to transfer over customer data from the Cerner systems to a new platform built on Oracle Cloud Infrastructure with stronger AI capabilities, which was announced by the company late last year.
According to the reports, Oracle told its customers that the breach occurred among those older Cerner systems sometime after Jan. 22. Oracle said on Feb. 20 that it became aware of a threat actor who used customer credentials to access the servers and copy their data to a remote server.
Though Oracle’s message to customers said that the stolen data “may” have included patient information from EHRs, the reports cite sources confirming that patient data was taken.
The reports also say that impacted hospitals have received extortion demands related to the breach. Per Bleeping Computer, the extortions are coming from a single threat actor who has not claimed affiliation with any groups, is demanding millions in cryptocurrency and has created websites about the breach to pressure hospitals.
Related
VA plans to accelerate Oracle EHR rollout, deploy to 9 additional sites by 2026
Hospital customers who spoke to the outlet were reportedly frustrated with Oracle’s communications regarding the incident. Outside of the notice—signed by Oracle Health Executive Vice President and General Manager Seema Verma, but lacking the company’s official letterhead—the company has instructed the hospitals to discuss the breach over the phone rather than through written messages or guidances, they reportedly said.
Oracle also reportedly told the affected customers that it is up to the hospitals to determine whether there has been a HIPAA breach and send out notification letters to their affected patients. Oracle would, however, help identify affected individuals, pay for their complimentary credit monitoring and identity theft services, and provide a breach notification letter template for the hospitals to use, per the report.
Fierce Healthcare has reached out to Oracle for confirmation and comment, but has not received a response.
Separately, reports from Bleeping Computer and other data security publications from the past couple of weeks have outlined posts from an online account that claims to have breached Oracle Cloud’s federated SSO login servers. Oracle has denied that breach, which could affect 6 million users, though available evidence clashes with that position.
The news comes as President Donald Trump extended for one year a national emergency relating to malicious cyberattackers. Healthcare is among the chief targets for attackers, with a late 2024 survey of IT and security practitioners outlining a year-over-year uptick in cyberattacks, including those targeting cloud networks and those disrupting care delivery.
