On April 7, 2025, Oracle mailed notifications to clients concerning a security incident reported in the news, stating that Oracle Cloud was not compromised. Oracle mentioned in the email notification that Oracle Cloud, also called Oracle Cloud Infrastructure or OCI, did not encounter a security breach or a penetration of its OCR customer environment. No OCI customer information was accessed or stolen, and no OCI service was interrupted or breached.
A security incident affected legacy servers. A hacker accessed and published user names found in two outdated servers that were not part of OCI. The hacker didn’t disclose usable passwords since the two servers held either hashed and/or encrypted passwords. Consequently, the hacker could not access customer environments or information.
Security researcher Kevin Beaumont stated that the outdated servers were Gen1, also known as Oracle Cloud Classic, a platform that is different from Oracle Cloud, although they were cloud services managed by Oracle. Beaumont said Oracle is using wordplay in its breach notifications and wondered why the hacker could access two obsolete servers that contain data. Oracle’s reply pertains to a statement made by threat actor rose87168, who is trying to market 6 million data records, which include LDAP display names, given names, email addresses, hashed passwords, and other data.
Another incident concerning Oracle Health, previously called Cerner, involved a hacker known as Andrew, who is trying to extort Oracle Health clients. Andrew is requiring cryptocurrency payment to stop the exposure of stolen information. The Federal Bureau of Investigation (FBI) is looking into the incident, but doesn’t reveal details about the current investigations.
The Oracle Health security incident likewise affected outdated servers, in this instance, outdated servers from Cerner, an electronic health record company. The servers were not yet moved to Oracle Cloud. Oracle mentioned the hacker used stolen data to gain access to the servers on or about January 22, 2025. The discovery of the security incident happened on or about February 20, 2025. The number of people impacted and the types of information affected are not yet certain, but they probably include data commonly noted in medical records.
Oracle Health is facing another lawsuit associated with the breach. The lawsuit was registered in the U.S. District Court for the Western District of Missouri and alleges that a hacker stole sensitive data, such as names, medical test results, other protected health information (PHI), and Social Security numbers. The lawsuit states that Oracle Health was negligent as it failed to protect servers following the acquisition of Cerner for $28.3 billion in 2022.
According to the two plaintiffs, Cheryl McCulley and Rebecca Blount, Oracle Health did not give information about the data breach, hence, they are now confronted with a greater and continuing threat of identity theft and fraud. They likewise accrued expenses while protecting themselves against data misuse. Aside from damages, the lawsuit wants injunctive relief, such as a court order for Oracle Health to strengthen security and work with increased transparency later on.
Oracle Health mentioned in its notification letters to its healthcare company clients that it is their duty to find out when a breach is reportable as per HIPAA law. It is likewise their duty to send breach notifications to the impacted persons when they uncover a reportable breach.