Steve Cagle, Clearwater CEO
As many in the healthcare sector are aware, it has been reported that Oracle Health customers have individually received notification letters from Oracle Health advising that it detected a security breach on February 20, 2025 and that a forensic investigation confirmed that the breach occurred on or after January 22, 2025. The breach resulted in impermissible disclosures of ePHI according to these reports from customers.
It has been stated by BleepingComputer that the Oracle Health notification letters were signed by Seema Verma, Executive Vice President & GM of Oracle Health and that these letters were not sent on Oracle letterhead. Affected customers were told to contact Oracle Health’s Chief Information Security Office (CISO) directly over the phone, not via email. Clearwater has not viewed the letter, and as such, is only commenting on publicly available information.
How should you respond?
Healthcare organizations would be advised to contact Oracle Health if they have questions or concerns and follow incident response and investigation procedures. They are advised to review their business associate agreements and action as appropriate.
If you have been impacted in this breach, Clearwater can help you in managing the incident and can provide advice and recommendations on how to best respond. Please contact your Clearwater representative to discuss how we can help. Contact Us.
How did this breach occur?
According to the report from BleepingComputer, Oracle Health said an unknown threat actor accessed a legacy server using stolen credentials and exfiltrated data. If this was a customer account, it raises the questions as to how one compromised customer account could result in breach of multiple customers data, and why there were not mitigating controls sufficient to prevent the breach.
How impactful is the breach? Sources have told BleepingComputer that the impacted hospitals are being extorted for millions of dollars in cryptocurrency by an individual threat actor going by the name “Andrew” who has not claimed affiliation with any known ransomware or extortion groups. To our knowledge, this information has not been publicly disclosed by Oracle. All known information has been sourced from clients.
Is Oracle Being Transparent Enough?
Oracle is receiving criticism about how it is handling this breach, as well as another alleged breach that Oracle has denied. On March 20th, a threat actor called rose87168 claimed on BreachForums to have compromised Oracle Cloud Infrastructure (OCI). The breach reportedly affected servers responsible for authenticating users to Oracle Cloud services. The threat actor claimed to have access to Oracle Cloud servers over a month ago and claimed to email the company after exfiltrating data from the US2 and EM2 cloud regions.
Despite multiple researchers claiming to have seen evidence that supports the breach is valid, Oracle initially denied it, and now remains silent. Oracle’s actions about both incidents are concerning and naturally raise questions about Oracle’s transparency and accountability.
Is Oracle trying to avoid any association with the breach of legacy Cerner data migration servers?
As many know, Oracle Health is a unit that was combined with Cerner, an electronic health records company that Oracle acquired in 2022 for $28 billion. When an organization acquires and integrates organizations, per HHS OCR’s Final Guidance for Risk Analysis under the HIPAA Security Rule, it must assess risk, determine risk levels and take appropriate actions to reduce risk to reasonable levels. One important question is the extent to which Oracle Health’s risk analysis followed OCR’s guidance, and how detailed that analysis was.
What support is Oracle providing?
Oracle Health is allegedly telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data requires notification under HIPAA. However, Oracle supposedly has committed to help identify impacted individuals and support the notification process by providing templates. Bloomberg has reported that the FBI is investigating the matter but with no confirmation from the FBI or Oracle at this time.
Commentary
The reported Oracle Health breach further demonstrates that successful cyberattacks the healthcare sector are not slowing down. We continue to see these attacks on health IT and digital health companies that maintain sensitive electronic protected health information from multiple provider and payer organizations.
Business associates – in particular large EHR providers – must be held to high cybersecurity standards, including performing on-going risk analysis, risk remediation and incident response procedures. When breaches occur, they must act responsibly. An organization’s transparency, response time and support for their customers will dictate how they are viewed and trusted by the industry.
