On or around January 22, 2025, a threat actor entered a server that Oracle Corporation had been meaning to decommission for years. It contained patient records from dozens of U.S. hospitals. The attacker stayed undetected for nearly a month. When Oracle finally discovered the breach on February 20, it quietly notified hospital clients on plain paper with no company letterhead — and told them not to call, only to phone the CISO directly. No public statement followed for weeks. By the time the full scope began to surface, attorneys were estimating up to 80 hospitals affected and potentially millions of patients whose medical records, Social Security numbers, and diagnoses were in unauthorized hands.
The Oracle Health data breach is one of the largest healthcare security failures of 2025. It did not make headlines through dramatic system shutdowns or ransomware notes. It surfaced gradually, hospital by hospital, notification letter by notification letter, over the course of nearly a year. As of early 2026, new institutions are still disclosing their exposure. The incident raises serious questions about what happens to sensitive patient data when a $28 billion acquisition leaves critical legacy infrastructure sitting in a migration queue, unloved and underpowered.
Background: Oracle Acquires Cerner, Legacy Systems Remain
Cerner Corporation was one of the dominant forces in electronic health record (EHR) software for U.S. hospitals. In December 2021, Oracle announced it had reached an agreement to acquire Cerner for approximately $28.3 billion. The deal closed in June 2022, and Cerner was folded into what became Oracle Health — a healthcare SaaS division offering EHR and business operations systems to hospitals and healthcare organizations across the country.
From the moment the acquisition was announced, Oracle's stated goal was to modernize Cerner's infrastructure by migrating its on-premises and legacy server environments onto Oracle Cloud Infrastructure (OCI). That migration turned out to be a slow, uneven process. Large, complex health systems take considerably more time to move than smaller organizations, and the transition left a significant amount of patient data sitting on older Cerner servers that were technically still connected to Oracle's environment but had not yet been brought into the cloud.
As of January 2025 — more than two years after the acquisition closed — those legacy servers still existed, still held active patient data, and were apparently accessible using credentials that had not been adequately secured. That combination became the opening the attacker needed.
"A lot of these older legacy systems, they just get sort of stuffed in the corner a bit and get forgotten about as most of our energy is focusing on building the latest and greatest and the new thing." — Jim Ducharme, CTO of ClearDATA, speaking to InformationWeek
How the Breach Happened: Stolen Credentials and a Server Left Behind
According to Oracle Health's private breach notifications to affected hospital clients — reviewed and reported by BleepingComputer — the unauthorized access began on or after January 22, 2025. The attacker used compromised customer credentials to access legacy Cerner data migration servers. Those servers had not yet been migrated to Oracle Cloud. The intrusion was not detected until February 20, 2025, leaving a window of at least 29 days during which the threat actor could move through the environment and exfiltrate data.
Cybersecurity researchers have pointed to CVE-2021-35587, a critical vulnerability in Oracle Access Manager that allows unauthenticated remote code execution, as likely connected to related Oracle infrastructure compromises occurring around the same period. According to analysis published by USDM Life Sciences, despite the availability of patches, some Oracle infrastructure was still running vulnerable versions as recently as February 2025. While the Oracle Health/Cerner server breach was accessed via stolen credentials rather than this specific CVE, the overlapping timeline and infrastructure context indicate that Oracle's patch hygiene across legacy environments was a systemic problem, not an isolated lapse.
Oracle told affected hospital clients that the attacker copied data to a remote server. What data, exactly, varied by institution — but the categories disclosed in breach notifications to state attorneys general and patients are among the most sensitive in existence: full names, Social Security numbers, dates of birth, driver's license numbers, treating physicians, dates of service, medical record numbers, diagnoses, medications, insurance information, test results, and treatment details.
The Oracle Health/Cerner incident is one of two distinct security events at Oracle in early 2025. A separate threat actor, going by the handle rose87168, claimed on March 20, 2025 to have stolen approximately six million records from Oracle Cloud Classic (also called Gen 1) servers by exploiting CVE-2021-35587, a critical vulnerability in Oracle Fusion Middleware. Oracle publicly denied the cloud breach while privately acknowledging that legacy servers were accessed. The two incidents are treated separately by investigators; this article focuses on the Cerner/Oracle Health breach affecting hospital patient data.
The Extortion Campaign: A Threat Actor Named Andrew
After the data was exfiltrated from the legacy Cerner servers, the affected hospitals did not immediately receive a notice from Oracle. Instead, a number of them were first made aware of the breach when an unknown party directly contacted them — claiming to be in possession of their patient data and demanding payment to keep it from being published or sold.
According to sources who spoke with BleepingComputer, the individual behind these demands was operating under the name "Andrew." This threat actor is described as having no claimed affiliation with any known ransomware group or cybercrime syndicate, making attribution more difficult. Andrew reportedly demanded millions of dollars in cryptocurrency from each affected institution and created publicly visible websites as a pressure tactic — a method designed to increase urgency and embarrass hospital administrators into paying before data was released.
"Impacted hospitals are now being extorted by a threat actor named 'Andrew,' who has not claimed affiliation with extortion or ransomware groups. The threat actor is demanding millions of dollars in cryptocurrency not to leak or sell the stolen data." — BleepingComputer, March 2025
The FBI launched an investigation into the extortion campaign. CrowdStrike was also reportedly engaged to assist in the forensic investigation. As of early 2026, no public arrest or attribution has been announced. No data from the Oracle Health/Cerner breach has been confirmed to appear on dark web markets, though the threat actor's clearnet pressure sites were used as leverage throughout 2025.
Union Health System in Terre Haute, Indiana, illustrates how hospitals first learned they were victimized. An unknown party contacted Union Health directly, claiming to hold their patient data. Union Health verified the claims on February 24, 2025, identified the information as likely coming from Oracle Health/Cerner's systems, and then had to reach out to Oracle themselves to confirm what happened. Oracle confirmed the breach to Union Health on March 15, 2025 — nearly three weeks after Union Health had already been contacted by the threat actor. Oracle did not reach out to Union Health proactively.
Oracle's Response: Silence, Plain Paper, and Shifted Responsibility
Oracle's public communications strategy around the Oracle Health breach has been the subject of significant criticism from security researchers, hospital administrators, and attorneys alike. The company issued no public statement about the incident for weeks after discovery. When it did notify affected hospital clients, those letters were signed by Seema Verma, Executive Vice President and General Manager of Oracle Health — but were sent on plain paper with no Oracle letterhead. Clients were also instructed to contact Oracle's Chief Information Security Office by phone only, not by email.
Multiple security experts and affected customers told BleepingComputer that this approach was deliberately designed to limit Oracle's formal documentary exposure. Sending breach notifications on unmarked paper rather than official letterhead, and routing follow-up communications through phone rather than traceable written channels, creates a less auditable record for regulators and plaintiffs.
Oracle also informed hospital clients that it would not be notifying patients directly. Under HIPAA, the breach notification obligation lies with the covered entity — in this case, the hospitals themselves, not their EHR vendor. Oracle took the position that each hospital was responsible for determining whether the stolen data constituted a reportable HIPAA breach and for issuing any required notifications to affected individuals. Oracle said it would help hospitals identify which patients were affected and provide notification templates, but the determination and execution were left entirely to the hospitals.
This approach was not unique to Oracle — HIPAA does structure responsibility this way — but it created a situation where some patients waited months, even close to a year, before receiving any notification that their records had been stolen. Oracle also cited law enforcement requests as a reason for delayed disclosures, a claim that some hospitals included verbatim in their own patient notification letters.
"Oracle Health/Cerner's lack of transparency has also been extremely frustrating." — Source speaking to BleepingComputer, March 2025
The Notification Cascade: Hospitals Left to Sort Out Their Own Patients
The institutional response to the Oracle Health breach unfolded slowly and unevenly throughout 2025. The first hospital to file a breach report with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights was Union Health System, which disclosed the incident on April 21, 2025, as affecting 262,831 individuals. That filing came 89 days after Union Health first verified the breach — a timeline that became the subject of a lawsuit.
Mosaic Life Care (Heartland Regional Medical Center, Missouri) reported to HHS on June 27, 2025 that the breach affected approximately 145,300 individuals. Cerner itself filed a placeholder report to HHS OCR in June 2025 listing 501 individuals, a standard estimate used when the full count is still being assessed. By July 2025, breach reports submitted to regulators confirmed at least 410,000 people affected — though information security analysts noted that figure was certainly an undercount, since many hospital reports did not disclose final tallies.
As of late 2025 and into 2026, hospitals were still receiving notifications from Oracle Health about their exposure. Among the confirmed affected institutions, based on public disclosures and reporting, are the following:
- Union Health System — Terre Haute, Indiana (262,831 patients)
- Mosaic Life Care — St. Joseph, Missouri (approximately 145,300 patients)
- Munson Healthcare — Northern Michigan (more than 100,000 patients)
- AdventHealth — Florida
- Aultman Health System — Canton, Ohio (includes Aultman Hospital, Aultman Alliance Community Hospital, Aultman Orrville Hospital)
- Baptist Health South Florida
- ChristianaCare — Delaware
- Glens Falls Hospital — New York
- Lake Regional Health System — Osage Beach, Missouri
- LifeBridge Health — Baltimore, Maryland
- Methodist Le Bonheur Healthcare — Memphis, Tennessee
- North Kansas City Hospital — Missouri
- OSF Saint Clare Medical Center — Princeton, Illinois
- Tallahassee Memorial Healthcare — Florida
The full list has not been made public by Oracle. In late 2025, plaintiffs' attorney Elena Belov, representing victims in class action litigation in the Western District of Missouri, disclosed that Oracle's own attorneys had told her that up to 80 hospitals may have been affected — representing a potential victim pool running into the millions.
"This is one of the most massive breaches in the healthcare industry in the last couple of years. We still don't know the entire universe. The list of affected hospitals has not been made public." — Elena Belov, plaintiffs' attorney, speaking to The Beacon, December 2025
The Lawsuits: More Than 20 Federal Class Actions Filed
Legal action against Oracle Health has been substantial. As of mid-2025, Oracle faced consolidated proposed federal class action litigation comprising approximately 20 individual lawsuits, all stemming from the Cerner data breach. By later in the year the number of class actions was reported at 29. The lawsuits name Oracle Health, Cerner Corporation (dba Oracle Health), and in some cases the individual hospital systems as co-defendants.
One lawsuit filed in the U.S. District Court for the Western District of Missouri names plaintiffs Rebecca Blount and Cheryl McCulley and alleges that Oracle was negligent in failing to secure the legacy Cerner servers following the $28.3 billion acquisition. The lawsuit asserts negligence, negligence per se, breach of third-party beneficiary contract, unjust enrichment, and breach of fiduciary duty. It seeks compensatory damages, long-term credit monitoring services, and injunctive relief requiring Oracle to implement specific security measures including data encryption, regular penetration testing, third-party audits, and automated monitoring.
A separate lawsuit filed against Union Health System and Oracle Health in the Western District of Missouri argues that Union Health's notification letters, which were not sent until 89 days after the breach was verified, deprived affected individuals of the opportunity to protect themselves during the window their data was in criminal possession. That delay argument has appeared in multiple filings and reflects a broader tension between the law enforcement delay justification Oracle has offered and the concrete harm experienced by patients who could not take protective action they didn't know they needed.
A class action filed by a Florida resident in the Western District of Texas names Michael Toikach as plaintiff and was filed by law firm Shamis & Gentile. A separate lawsuit filed in the Western District of Missouri adds plaintiffs from multiple states and seeks a jury trial with punitive, compensatory, statutory, and exemplary damages alongside injunctive relief and attorneys' fees.
What Was Stolen and What It Means for Patients
The data categories exposed in the Oracle Health/Cerner breach represent a near-complete profile of a person's identity and medical history. Based on individual breach notification letters sent by affected hospitals and filings with state attorneys general, the stolen data includes some or all of the following, varying by patient:
- Full legal name
- Social Security number
- Date of birth
- Driver's license number
- Home address
- Treating physicians' names
- Dates of service
- Medical record numbers
- Diagnoses
- Medications prescribed
- Test results and images
- Care and treatment information
- Health insurance information
This combination is particularly dangerous because medical records are among the most valuable datasets on the criminal market. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach in the healthcare sector is $9.8 million — the highest of any industry. Medical identity theft can be used to fraudulently obtain prescriptions, services, or insurance reimbursements. When combined with a Social Security number, it can be used to open credit accounts, file fraudulent tax returns, or establish synthetic identities that take years for victims to untangle.
Oracle Health has offered affected patients 24 months of free credit monitoring through Experian IdentityWorks Credit Plus 3B, which includes credit monitoring, dark web surveillance, identity restoration support, and up to $1 million in identity theft insurance. This is a standard post-breach offer and a legally recognized form of remediation, though critics note that credit monitoring is reactive rather than preventive.
If you received a breach notification from any of the affected hospitals, consider the following steps immediately: place a free credit freeze with all three credit bureaus (Equifax, Experian, TransUnion); enroll in the Experian IdentityWorks monitoring offered in your notification; file your taxes early this season to prevent fraudulent tax returns filed in your name; request an IRS Identity Protection PIN at irs.gov; and pull your free credit reports at AnnualCreditReport.com to review for unauthorized accounts or inquiries. Be alert for targeted phishing attempts that reference real details from your medical record — attackers who hold this data have enough to craft convincing impersonation messages.
Key Takeaways
- Acquisitions inherit risk, not just assets. Oracle paid $28.3 billion for Cerner and acquired its customers, its contracts, and its legacy servers. Three years later, those servers were still connected to a live environment holding patient records from dozens of U.S. hospitals. The Oracle Health breach is a textbook example of how M&A cybersecurity due diligence and post-acquisition infrastructure remediation can fail, and how the consequences fall not on shareholders but on patients.
- The notification gap harmed real people. Some patients did not receive breach notification until nine months or more after the initial compromise. During that window, an attacker held their Social Security numbers, diagnoses, medications, and insurance information. They could not take protective action because they did not know they needed to. The law enforcement delay justification may be legally sound; it is not morally neutral.
- Oracle's communication strategy compounded the harm. Sending breach letters on plain paper, directing hospital clients to contact the CISO by phone only, and refusing to issue a public statement for weeks after discovery are not standard practices for a company handling a breach affecting this many people. Multiple sources described Oracle's lack of transparency as deeply frustrating. Whatever the legal strategy behind those choices, they left hospital administrators, patients, and regulators in the dark longer than necessary.
- The full scope is still not known. As of March 2026, Oracle Health has still not publicly confirmed how many of its hospital clients were affected or the total number of patients whose data was stolen. Plaintiffs' attorneys have been told the number may be as high as 80 hospitals. Breach reports are still trickling in to HHS OCR. This means the real patient impact could be substantially larger than the confirmed numbers reflect.
- Healthcare remains the highest-cost target in cybersecurity. At $9.8 million average per incident, healthcare data breaches are not just a compliance problem — they are an existential financial threat for smaller health systems and a source of direct, lasting harm for patients whose records can be weaponized for years after a single theft event. The Oracle Health breach did not involve ransomware disrupting care delivery, but it involved something in some ways more permanent: the quiet exfiltration of irreplaceable personal and medical information from infrastructure that was never properly secured after it changed hands.
The Oracle Health/Cerner breach will likely be studied for years as a case study in what goes wrong when enterprise scale, acquisition complexity, legacy infrastructure debt, and inadequate post-incident transparency converge. Its consequences are still being counted. Hospitals are still sending notification letters. Federal class actions are still being filed. Patients who received their notifications months after the fact are still working through the protective steps they should have been able to take in January 2025. The question that remains unanswered — and may not be answered without litigation forcing the disclosure — is how many more people are still waiting to find out that their records were taken.
Sources
- BleepingComputer — Oracle Health breach compromises patient data at US hospitals (March 28, 2025)
- BleepingComputer — Oracle privately confirms Cloud breach to customers (April 3, 2025)
- HIPAA Journal — 80 Hospitals May Have Been Affected by the Oracle Health Data Breach (updated January 2026)
- HIPAA Journal — Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack (May 2025)
- HIPAA Journal — More Than 100K Munson Healthcare Patients Affected by Cerner Cyberattack (February 2026)
- BankInfoSecurity — Indiana Health System Notifies 263,000 of Oracle Hack (May 2025)
- BankInfoSecurity — Oracle/Cerner EHR Hack: Breach Reports Still Trickling In (July 2025)
- Becker's Hospital Review — Oracle Health data breach affects 80 hospitals in 2025 hack (December 2025)
- Becker's Hospital Review — 3 more health systems affected by Oracle Health breach (December 2025)
- Becker's Hospital Review — 16 health systems affected by Oracle Health data breach (updated February 2026)
- InformationWeek — What Health Care CIOs and CISOs Need to Know About the Oracle Breaches (April 2025)
- Healthcare IT News — Oracle Health customers notified of data compromise (March 2025)
- USDM — Oracle Health Breach: What Life Sciences Cybersecurity Leaders Need to Know (April 2025)
- Methodist Le Bonheur Healthcare — Notice of Oracle Health/Cerner Security Incident
- BigID — Oracle Health Data Breach Raises Questions on Cybersecurity Preparedness (December 2025)
- Clearwater Security — Commentary on the Oracle Health Breach (April 2025)
- CohenMalad LLP — Oracle Health Data Breach Attorneys (2025)