Oracle Health Data Breach: What Houston Healthcare Providers Need to Know

  The Breach: Timeline and Discovery

A significant data breach at Oracle Health has impacted multiple US healthcare organizations and hospitals after attackers stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but private communications sent to impacted customers confirm that patient data was stolen in the attack.

According to notifications sent to affected customers, Oracle Health became aware of the breach on February 20, 2025. The company reported that unauthorized access to legacy Cerner data migration servers occurred sometime after January 22, 2025.

  Scope and Impact

The FBI is currently investigating the cyberattack at Oracle that has led to the theft of patient data, according to Bloomberg News. Earlier this month, Oracle alerted some healthcare customers that hackers accessed its servers and copied patient data to an outside location.

It remains unknown exactly how many patients’ records were compromised in the breach. The total number of healthcare providers that the hackers have sought to extort is also uncertain. What is clear is that the breach has potentially exposed sensitive patient information from multiple US hospitals.

Affected hospitals are reportedly being extorted by an individual threat actor going by the name “Andrew” who has not claimed affiliation with any known ransomware or extortion groups. The threat actor is demanding millions of dollars in cryptocurrency to prevent the leak or sale of stolen data and has created websites about the breach to pressure the hospitals.

  Attack Method

Oracle reports that the threat actor used compromised customer credentials to breach the servers and copy data to a remote server. The stolen data “may” have included patient information from electronic health records. However, multiple sources confirmed to BleepingComputer that patient data was definitely stolen during the attack.

Oracle told customers that the hackers accessed older Cerner servers, taking data that had not yet been migrated to Oracle’s cloud storage service. “Available evidence suggests the threat actor illegally accessed the environment by using stolen customer credentials,” the company said in a notice to customers.

  Oracle’s Response and Communication Issues

Oracle Health is telling hospitals that they will not notify patients directly and that it is the responsibility of the healthcare providers to determine if the stolen data violates HIPAA laws and whether they are required to send notifications. The company has offered to help identify impacted individuals and provide templates to assist with notifications.

In conversations with numerous sources, BleepingComputer learned that all formal communication was sent on plain paper rather than Oracle letterhead, and the company has not formally acknowledged the breach as expected. The notification was not on official letterhead but was signed by Seema Verma, the Executive Vice President & GM of Oracle Health.

Furthermore, rather than providing written reports, Oracle Health has reportedly directed customers to communicate only with its Chief Information Security Office (CISO) over the phone and not via email. This approach has left hospitals without proper documentation or clear guidance on responding to the security breach.

  Connection to Oracle Cloud Breach

The disclosure of this incident comes shortly after reports of an alleged breach of Oracle Cloud’s federated SSO login servers, in which a threat actor claimed to steal LDAP authentication data for 6 million people. As proof of the attack, the threat actor shared an archived copy of a file uploaded to one of Oracle’s login servers that contained their email address.

Security researchers recently identified a threat actor selling authentication records exfiltrated from Oracle Cloud, suggesting a breach of Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. These records include highly sensitive information that poses a security risk to impacted firms, like encrypted SSO passwords, security certificates, and encryption key files.

The threat actor most likely utilized a known vulnerability (CVE-2021-35587) to access one of Oracle Cloud’s login endpoints. The vulnerability, originally reported in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager instances. CloudSEK’s investigation revealed that the endpoint exploited by the attacker had not been updated since 2014, and was in active use as recently as February 17, 2025.

  Recent Developments

Although Oracle Health has not publicly acknowledged the breach, they have informed affected customers through private communications. The company has stated it will assist in identifying impacted individuals and provide notification templates, but it is up to the hospitals to determine if HIPAA laws require patient notifications.

While Oracle Health has agreed to pay for credit monitoring services and the mailing vendor for patient notification, the company is not willing to send notifications on behalf of the impacted hospitals.

 How CinchOps Can Help Secure Your Business

In light of these concerning breaches, organizations must take proactive measures to protect sensitive data. Here’s how CinchOps can help secure your business:

1. Comprehensive Security Assessments: We identify vulnerabilities in your systems before attackers can exploit them, particularly in legacy systems awaiting migration.
2. Credential Security Management: We implement robust credential protection systems to prevent the kind of compromised credential attacks that affected Oracle Health.
3. Incident Response Planning: We develop and test customized incident response plans so your organization can respond quickly and effectively if a breach occurs.
4. Patient Data Protection: For healthcare organizations, we provide specialized security protocols designed specifically to protect sensitive patient information in compliance with HIPAA regulations.
5. Transparent Communication Protocols: We establish clear communication channels and documentation practices for security incidents.
6. Vulnerability Management: We implement systems to track and patch known vulnerabilities before they can be exploited by attackers.
7. Third-Party Risk Management: We assess and monitor the security postures of your vendors and partners to reduce supply chain risks.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until your organization is in the headlines for a data breach. Contact CinchOps today to strengthen your security posture and protect your most valuable data assets.

FREE CYBERSECURITY ASSESSMENT