Oracle Corporation, a leading global technology firm, is currently under intense scrutiny for its management of two distinct security breaches that have raised significant concerns among clients and industry observers.
Oracle Health Data Breach
The first incident involves Oracle Health, a division formed after Oracle’s acquisition of Cerner in 2022 for $28 billion. Oracle Health provides technology solutions enabling healthcare providers to access electronic health records. Recent reports indicate that unauthorized individuals accessed Oracle servers, resulting in the theft of patient data. The exact nature and scope of the compromised data remain unclear, as does the list of affected healthcare organizations.
In March 2025, Oracle notified certain healthcare clients about the breach, stating that on or around February 20, 2025, they became aware of unauthorized access to some Cerner data stored on a legacy server not yet migrated to Oracle Cloud. This notification suggests that the breach targeted older systems pending integration into Oracle’s cloud infrastructure.
Further complicating the situation, reports have emerged of hackers attempting to extort affected hospitals, demanding substantial sums of money. An anonymous Oracle employee expressed concerns over the company’s internal communication regarding the breach, noting that their team experienced restricted access to customer environments for several days without clear explanations. The employee highlighted the potential risks beyond patient data, as unauthorized access could extend to other hosted applications, including human resources and financial systems.
Oracle Cloud Security Incident
The second security incident pertains to Oracle’s cloud services. A threat actor identified as Rose87168 has claimed responsibility for exfiltrating six million records from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. This data reportedly includes Java KeyStore (JKS) files, encrypted SSO and LDAP credentials, key files, and Enterprise Manager Java Platform Security (JPS) keys. The breach is said to affect over 140,000 enterprise tenants.
The attacker has listed the stolen data for sale on cybercrime forums and is demanding payment from affected companies to remove their data from the dataset. Additionally, the threat actor is offering incentives for assistance in decrypting the stolen credentials, raising concerns about potential widespread unauthorized access.
The breach is believed to have exploited a known vulnerability in Oracle Access Manager, specifically CVE-2021-35587, which allows unauthenticated remote code execution over HTTP. Despite Oracle releasing a patch for this vulnerability in 2022, it appears that unpatched or legacy systems were still susceptible, enabling the attacker to gain initial access.
Oracle’s Response and Industry Reaction
Oracle has publicly denied the breach, stating, There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data. This categorical denial contrasts with evidence presented by cybersecurity researchers, who have provided substantial indications of a significant security incident. This discrepancy raises concerns about transparency and communication during cybersecurity events.
The Federal Bureau of Investigation (FBI) is reportedly investigating the cyberattack at Oracle, particularly focusing on the theft of patient data. The FBI has not commented on the matter, and Oracle has not responded to requests for comment.
Recommendations for Affected Organizations
In light of these incidents, organizations utilizing Oracle Health or Oracle Cloud services should take immediate action to mitigate potential risks:
– Credential Management: Reset all SSO, LDAP, and associated credentials, especially for privileged accounts, to prevent unauthorized access.
– System Audits: Conduct thorough audits to identify and update any outdated or vulnerable components, particularly those related to Oracle Fusion Middleware and Oracle Access Manager.
– Incident Response Planning: Develop and regularly update incident response plans to ensure preparedness for potential breaches. Conduct simulation exercises to test the effectiveness of these plans.
– Engagement with Oracle and Security Communities: Maintain open communication with Oracle and participate in cybersecurity forums to stay informed about emerging threats and vulnerabilities. Collaborate with industry peers to share insights and best practices.
Conclusion
The recent security incidents involving Oracle Health and Oracle Cloud underscore the critical importance of robust cybersecurity measures and transparent communication. Organizations must remain vigilant, promptly address vulnerabilities, and engage in proactive risk management to safeguard sensitive data and maintain trust with clients and stakeholders.
