WEBINARSecure your AI agents in days, not weeks– Discover Polymer’s SecureRAG today!

Request a demo

Download our DLP for AI whitepaper

Polymer

Download free DLP for AI whitepaper

Oracle Health data breach impacts hospitals across the US

Mar 31, 2025
Breach Healthcare HIPAA Zero Trust
Has Oracle Cloud really been breached?

Summary

  • Oracle Health faces a major data breach, with patient records from multiple hospitals exposed after a hacker compromised legacy servers.
  • The breach happened through stolen customer credentials, allowing the attacker to copy sensitive data to a remote server.
  • The hacker is demanding millions in cryptocurrency from impacted healthcare organizations.
  • Despite the severity of the incident, Oracle Health has assigned hospitals the responsibility for patient notifications.

ChatGPT said:

Oracle Health is at the center of a major data breach impacting several U.S. hospitals and healthcare organizations. The breach, which originated from compromised legacy servers, has led to the theft of sensitive patient records. The attacker is now using ransomware to extort victims, demanding payments to prevent the stolen data from being leaked.

Oracle Health—formerly Cerner—provides electronic health records (EHR) and business management systems to medical institutions across the country. Since Oracle’s acquisition in 2022, Cerner’s infrastructure has been integrated into Oracle Cloud—though this latest breach suggests vulnerabilities in older systems remain a serious risk.

Here’s what we know so far.

Oracle Health breach: Timeline of events 

Oracle Health quietly began notifying customers on February 20, 2025, about a breach involving legacy Cerner data migration servers. 

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” reads the notification shared with Oracle Health customers.

According to Oracle, the breach was enabled by compromised customer credentials, allowing an attacker to gain access sometime after January 22, 2025. The stolen data—reportedly patient records from electronic health systems—was copied to a remote server.

What remains unclear is how a single set of customer credentials could have unlocked data across multiple organizations.

Adding to the frustration, Oracle Health is leaving hospitals to handle the fallout. The company has told customers it won’t notify patients directly, shifting the responsibility to healthcare providers. Hospitals must now determine if the breach triggers HIPAA notification requirements and handle patient disclosures themselves.

Ransomware fallout 

As if the situation weren’t bad enough, reports have surfaced that the stolen data is now being used for extortion. The attacker—an individual operating under the name “Andrew”—has demanded millions in cryptocurrency to keep the records from being leaked or sold. Unlike typical ransomware operations, Andrew hasn’t claimed affiliation with any known cybercrime groups.

In an unusual move, the hacker has also set up public websites on the clearnet to pressure hospitals into paying up, exposing details of the breach to ramp up fear and compliance.

The FBI is now involved in the investigation, but for the affected hospitals and their patients, it may already be too late. 

Lessons learned 

This breach is a wake-up call for the healthcare industry. Patient data is a goldmine for cybercriminals, and yet many organizations continue to place blind trust in third-party providers without fully assessing the risks. In this case, hospitals weren’t the ones breached—Oracle Health was. But they’re the ones dealing with the consequences.

Beyond the breach itself, the use of stolen credentials raises serious concerns about Oracle Health’s security defenses. A zero-trust approach—one that includes user behavior monitoring and advanced data loss prevention (DLP)—could have prevented an attacker from exfiltrating patient records, even with valid login details. Credential theft is one of the oldest tricks in the book, yet Oracle’s defenses failed to catch it. Any organization still relying on traditional perimeter security is leaving the door wide open.

But Oracle’s handling of the breach is just as troubling as the attack itself—it’s essentially a lesson in what not to do when it comes to incident response. Affected hospitals have criticized the company for a lack of transparency, pointing to formal notifications sent on plain paper rather than official Oracle letterhead. 

More concerning, Oracle Health has reportedly refused to provide written reports, instead instructing hospitals to communicate only by phone with its Chief Information Security Officer—effectively ensuring there’s no paper trail. This has left hospitals scrambling for answers, with no clear documentation or structured guidance on how to respond.

While Oracle has agreed to cover credit monitoring costs and pay for patient notification mailings, it has refused to send the notices itself, placing the burden squarely on hospitals. The company’s lack of transparency will no doubt create ramifications far beyond the initial breach. The fallout from this incident won’t be limited to stolen data—Oracle’s reputation is now on the line, and the damage may prove far more long lasting.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.