Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
While Oracle has so far declined to publicly acknowledge the data breach and a separate one that came to light last week, Oracle Health, in private letters sent to impacted customers, has said that it is aware of a breach of legacy Cerner data migration servers, according to a Bleeping Computer report.
Oracle Health was formed after the database firm acquired Cerner Corp, an electronic health records (EHR) business, for $28 billion in 2022 in a bid to bring the legacy healthcare software to the cloud.
“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” Oracle reportedly said in the letters.
Although unrelated to last week’s alleged Oracle Cloud breach, the Oracle Health incident raises serious concerns about the company’s security practices, particularly in safeguarding sensitive customer PII.
FBI to investigate the matter
The FBI is investigating the Oracle Health breach and attempts made by attackers to extort affected medical providers, according to a Bloomberg report.
“Hackers broke into Oracle Corp.’s computer systems and stole patient data in an attempt to extort multiple medical providers in the US,” the report said citing a person in the know. “It’s unknown how many patients’ records were taken. The total number of health-care providers that the hackers have sought to extort is also uncertain”.
While the letter suggests the breach affected Cerner data before they were uploaded to Oracle Cloud and that it is an entirely unrelated incident, the same can’t be said in full confidence given the timing of the two incidents and the fact that the health data breach was done with stolen logins.
“Available evidence suggests the threat actor illegally accessed the environment by using stolen customer credentials,” the letter reportedly added.
Oracle and the FBI office did not respond to requests for comments.
Oracle isn’t budging on Cloud breach denial
Cybersecurity firm CloudSEK first reported the cloud breach involving a threat actor “rose87168” selling six million records exfiltrated from single-sign-on (SSO) and Lightweight Directory Access Protocol (LDAP) of Oracle Cloud.
While Oracle quickly denied the breach to media outlets, data shared as samples from the breach were validated by several Oracle customers. Additionally, the threat actor posted an archive.org URL (http://login.us2.oraclecloud.com) and demonstrated to the cybersecurity news channel Bleeping Computer they had write access to login.us2.oraclecloud.com, a login service using Oracle Access Manager.
Oracle has since requested Wayback Machine (Archive.org) to take down the archived URL. Independent cybersecurity researchers are taking to the internet to criticize Oracle’s efforts at coverup. Meanwhile, the threat actor posted a long video of an internal Oracle meeting, presumably from the breach, solidifying their claims.
“In cybersecurity, denial doesn’t neutralize the danger, transparency does,” CloudSEK co-founder and CEO Rahul Sassi told CSO. “This investigation is not about blame, it’s about accountability. It’s about empowering every security team, every customer, and every vendor in the supply chain to act before attackers do.” Affected data from the breach included JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys, according to CloudSEK. While SSO passwords could be cracked with other breached files, LDAP passwords were encrypted and the threat actor, in their post, sought help with decoding them in exchange for some compromised data.