Oracle Health breach compromises patient data at US Healthcare organizations

Oracle Health (formerly Cerner) has experienced a security breach affecting multiple US healthcare organizations and hospitals. The incident involved unauthorized access to legacy Cerner data migration servers that had not yet been migrated to Oracle Cloud.

Oracle Health has not yet publicly disclosed this incident, but multiple sources have confirmed to BleepingComputer that patient data was indeed stolen during the attack.

The incident was detected on February 20, 2025, although the unauthorized access began sometime after January 22, 2025. According to Oracle's direct notification to impacted customers, threat actors used stolen customer credentials to breach the servers and copy sensitive patient data to a remote server.

The stolen information reportedly includes:

• Patient information from electronic health records
• Recent patient records

The full extent of the compromised data and the total number of affected patients and healthcare providers has not been disclosed.

The breach affects legacy Cerner servers containing patient data, part of the electronic health records system that Oracle acquired in 2022 for $28 billion.

The FBI is currently investigating the breach and the attempts by cybercriminals to extort medical companies for ransoms, according to Bloomberg News.

Oracle Health's handling of the incident has reportedly frustrated affected organizations. Oracle has not publicly disclosed the incident, sent formal communications on plain paper rather than official Oracle letterhead, directed customers to communicate only with its Chief Information Security Office (CISO) via phone, not email, stated they will not notify patients directly, placing that responsibility on the healthcare organizations and declined to send notifications on behalf of impacted hospitals

While Oracle has agreed to pay for credit monitoring services and mailing vendor costs for patient notifications, they have told healthcare organizations that it is their responsibility to determine if the stolen data violates HIPAA laws and whether patient notifications are required.

This incident comes shortly after reports of another alleged breach involving Oracle Cloud's federated SSO login servers, where a threat actor claimed to have stolen LDAP authentication data for 6 million people.  The US Department of Veterans Affairs, which has a $16 billion contract with Oracle-Cerner, has stated they were not affected by this incident.

Update - As of 31st of March 2025, an Oracle employee that asked to be anonymous revealed serious cybersecurity concerns regarding a potential data breach affecting patient and potentially HR, and financial data. They claim Oracle failed to provide transparent communication about the incident to both employees and customers, and Oracle staff unable to access customer environments for days and having to rely on Reddit and internal Slack channels for information about the ongoing security situation.

As of 19th of June 2025, Tallahassee Memorial Healthcare is reporting they are among the affected organizations and have notified patients via letters sent on June 13, 2025. TMH was notified by Cerner, which is now part of Oracle Health that it had experienced a cybersecurity event involving unauthorized access to data hosted in Oracle/Cerner's data migration environment — including certain TMH patient information. The health system emphasized that its current electronic health record system was not affected and that there was no disruption to operations or patient care capabilities.

As of 1st of July 2025, Mosaic Life Care reports it was affected by the Oracle Health breach.

As of 5th of August 2025, Coral Gables-based Baptist Health South Florida reports its patient data was compromised in the Oracle Health breach.

As of 7th of August 2025 Glens Falls hospital in New York reports its patient data was compromised in the Oracle Health breach.

As of 1st of November 2025, Hamilton Medical Center reports its patient data was compromised in the Oracle Health breach.

As of 29th of November 2025, ChristianaCare reports its patient data was compromised in the Oracle Health breach.

As of 24th of December 2025, OSF HealthCare reports its patient data was compromised in the Oracle Health breach.

As of 27th of December 2025, Lake Regional Health System reports its patient data was compromised in the Oracle Health breach.

As of 3rd of January 2026, Aultman Health System reports its patient data was compromised in the Oracle Health breach.

As of 5th of January 2026, the following health systems report their data was compromised in the Oracle Health breach:

• AdventHealth (Altamonte Springs, Fla.)
• Methodist Le Bonheur Healthcare (Memphis, Tenn.)
• North Kansas City (Mo.) Hospital
• LifeBridge Health (Baltimore)
• Union Health (Terre Haute, Ind.)

As of 21th of January 2026, Jupiter Medical Center reports its patient data was compromised in the Oracle Health breach.

As of 24th of Janiary 2026, Munson Healthcare reports its patient data was compromised in the Oracle Health breach.