Skip to Content
Client Payment

Events In the News

Oracle Health Confirms Data Breach

on Wednesday, 30 April 2025 in Health Law Alert: Kristin N. Lindgren, Editor

A class action lawsuit has been filed against Oracle Corporation in the U.S. District Court for the Western District of Texas in association with a January 2025 data breach.  After initially denying that it suffered a security breach, in an April 7th email Oracle officially notified customers that its healthcare subsidiary, Oracle Health, suffered a data breach.  The company stated “that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has NOT experienced a security breach.”  The email also states that “no OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”

Oracle does, however, admit that a security incident occurred – “A hacker did access and publish user names from two obsolete servers that were never part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore, the hacker was not able to access any customer environments or customer data.”

Copy of Oracle email notice (BleepingComputer)

Oracle Health was formed after Oracle acquired Cerner Corporation and its electronic health records business in 2022.

The security incident involved legacy servers, older servers from Cerner, that reportedly had not yet been migrated to Oracle Cloud.  Oracle said stolen credentials were used to access those servers on or around January 22, 2025, and Oracle identified the incident around February 20, 2025. Oracle has yet to confirm the number of individuals impacted and the categories of data involved, but likely includes information typically found in medical records.

In late March, a hacker known as “rose87168” claimed to have breached Oracle’s login servers, stealing around six million records containing sensitive customer data, including security keys and credentials, claiming that encrypted passwords can be decrypted.  Despite those claims, Oracle insisted that it has not suffered a security breach, that the credentials are not linked to Oracle Cloud, and that no customer data was lost.

Another lawsuit has been filed against Oracle Health in relation to the breach. This lawsuit was filed in the U.S. District Court for the Western District of Missouri and claims a hacker stole sensitive information, including names, Social Security numbers, clinical test results, and other protected health information. The lawsuit claims Oracle Health was negligent by failing to secure servers after the Cerner acquisition.

Oracle Health has not yet submitted a notice of breach to the Office of Civil Rights.

Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design