Oracle Health, a subsidiary of Oracle, is under investigation by the FBI for a cyberattack that exposed patient data. Hackers gained unauthorized access to legacy Cerner servers, which had not yet migrated to Oracle’s cloud. The breach occurred after January 22, 2025, and involved hackers copying and transferring data to an external server. Oracle Health became aware of the incident on February 20, 2025, but has yet to make a public statement. The exact number of compromised patient records remains unclear.
The attack exploited compromised customer credentials, allowing hackers to breach servers of several healthcare organizations.
While Oracle Health confirmed patient data was stolen, the full scope of the attack is still uncertain. Hospitals were informed but told they must decide if patient notifications are required under HIPAA. Oracle Health opted not to notify patients directly but provided templates for hospitals to use in their notifications.
The threat actor, “”Andrew,”” is extorting impacted hospitals for millions of dollars in cryptocurrency.
The hacker is threatening to release or sell the stolen data unless demands are met. “”Andrew”” created websites about the breach to pressure hospitals into compliance. There is no confirmation that ransomware was involved, though sources suggest it was purely data theft. The attack highlights the vulnerability of healthcare systems, with multiple organizations affected.
Oracle Health has faced criticism for its lack of transparency and poor communication after the breach. Hospitals were sent notifications on plain paper, not official letterhead. Oracle Health has directed hospitals to communicate with the Chief Information Security Officer by phone, not email. Though Oracle Health will cover the cost of credit monitoring, it will not send notifications for affected hospitals. This has placed the responsibility on the hospitals to manage the situation.
Reference:
