US patient data reportedly stolen following Oracle Health breach

An alleged breach at Oracle Health has impacted multiple healthcare organisations and hospitals in the US after a cyber criminal reportedly  stole patient data from legacy servers. 

Oracle Health is yet to publicly disclose the incident, but BleepingComputer reported that it had seen private communications sent to customers that confirmed patient data was stolen in the attack.

The notice from Oracle Health to impacted customers said that the firm became aware of a breach of legacy Cerner data migration servers on 20 February 2025.

It said: “We are writing to inform you that, on or around 20 February 2025, we became aware of a cybersecurity event involving unauthorised access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud.”

Oracle said the threat actor used compromised customer credentials to breach the servers sometime after 22 January 2025, and copied data to a remote server. This stolen data “may” have included patient information from electronic health records (EHRs)

According to BleepingComputer, multiple sources confirmed that patient data was stolen during the attack.

Details of the attack were not shared with customers and it is not known if ransomware was deployed in the attack or if it was purely data theft.

It is also unclear how a customer’s credentials could have allowed the theft of data from multiple organisations.

Sources told BleepingComputer that the impacted hospitals are being extorted by an individual threat actor going by the name “Andrew” who has not claimed affiliation with any known ransomware or extortion groups.

Oracle Health, formerly known as Cerner, is a healthcare software-as-a-service (SaaS) company offering EHRs and business operations systems to hospitals and healthcare organisations.

After being acquired by Oracle in 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud.

Oracle had previously denied claims that its public cloud offering was compromised and had information stolen after a threat actor advertised on an online cyber crime forum what was alleged to be Oracle Cloud customer security keys and other sensitive data taken.

A spokesperson for Oracle told The Register on 21 March 2025: “There has been no breach of Oracle Cloud.

“The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Digital Health News contacted Oracle Health but had not received a response at the time of publication.