A breach at Oracle Well being impacts a number of US healthcare organizations and hospitals after a menace actor stole affected person information from legacy servers.
Oracle Well being has not but publicly disclosed the incident, however in personal communications despatched to impacted prospects and from conversations with these concerned, BleepingComputer confirmed that affected person information was stolen within the assault.
Oracle Well being, previously generally known as Cerner, is a healthcare software-as-a-service (SaaS) firm providing Digital Well being Information (EHR) and enterprise operations programs to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Well being, with its programs migrated to Oracle Cloud.
In a discover despatched to impacted prospects and seen by BleepingComputer, Oracle Well being stated it turned conscious of a breach of legacy Cerner information migration servers on February 20, 2025.
“We’re writing to tell you that, on or round February 20, 2025, we turned conscious of a cybersecurity occasion involving unauthorized entry to some quantity of your Cerner information that was on an outdated legacy server not but migrated to the Oracle Cloud,” reads a notification despatched to impacted Oracle Well being prospects.
Oracle says that the menace actor used compromised buyer credentials to breach the servers someday after January 22, 2025, and copied information to a distant server. This stolen information “could” have included affected person info from digital well being information.
Nonetheless, a number of sources instructed BleepingComputer that it was confirmed that affected person information was stolen in the course of the assault.
Oracle Well being can also be telling hospitals that they won’t notify sufferers immediately and that it’s their duty to find out if the stolen information violates HIPAA legal guidelines and whether or not they’re required to ship notifications.
Nonetheless, the corporate says they may assist establish impacted people and supply templates to assist with notifications.
It isn’t identified if ransomware was deployed within the assault or if it was purely information theft, with BleepingComputer instructed that the small print of the assault weren’t shared with prospects.
Moreover, it’s unclear how a buyer’s credentials might have allowed the theft of knowledge from a number of organizations.
Sources have instructed BleepingComputer that the impacted hospitals are being extorted by a person menace actor going by the title “Andrew” who has not claimed affiliation with any identified ransomware or extortion teams.
The menace actor is demanding tens of millions of {dollars} in cryptocurrency to stop the leak or sale of stolen information and has created clearnet web sites in regards to the breach as a option to strain the hospitals.
BleepingComputer first contacted Oracle Well being about this incident on March 4th however obtained no responses to our questions.
Prospects involved about response
Whereas the breach and theft of affected person information have turn into a nightmare for the impacted organizations, BleepingComputer was instructed that Oracle’s lack of transparency has additionally been extraordinarily irritating.
In conversations with quite a few sources, BleepingComputer discovered that every one formal communication was despatched on plain paper quite than Oracle letterhead, nor has the corporate previously acknowledged the breach as anticipated.
The notification seen by BleepingComputer was not on official letterhead however was signed by Seema Verma, the Govt Vice President & GM of Oracle Well being.
Moreover, quite than offering written experiences, Oracle Well being has reportedly directed prospects to speak solely with its Chief Data Safety Workplace (CISO) over the telephone and never by way of electronic mail.
This method has left hospitals with out correct documentation or clear steerage on responding to the safety breach.
Whereas Oracle Well being has agreed to pay for credit score monitoring providers and the mailing vendor for affected person notification, BleepingComputer was instructed the corporate is just not keen to ship it on behalf of the impacted hospitals.
The disclosure of this incident comes quickly after experiences of an alleged breach of Oracle Cloud’s federated SSO login servers, through which a menace actor claimed to steal the LDAP authentication information for six million folks. As proof of the assault, the menace actor shared an archived copy of a file uploaded to one among Oracle’s login servers that contained their electronic mail handle.
Whereas Oracle denied that it had suffered a breach, BleepingComputer was instructed that samples of the stolen information shared with prospects had been confirmed to be legitimate.
Replace: Added info to the primary part in regards to the ongoing extortion of hospitals.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and easy methods to defend towards them.
