Oracle health data breach exposes sensitive information of 13,633 patients

A cyberattack on legacy Cerner systems compromised patient data across multiple states earlier this year.

What happened

Oracle Health, formerly known as Cerner Corporation, experienced a data breach that affected at least 13,633 patients across several U.S. states. The breach was discovered on March 7, 2025, and involved unauthorized access to patient information stored on legacy Cerner systems. The attack itself occurred over several days, beginning on or before January 22, 2025.

The breach was formally reported to the U.S. Department of Health and Human Services on June 17, 2025. Notification letters to patients began going out on July 25.

Going deeper

Oracle Health provides electronic health record (EHR) systems to hospitals and medical practices nationwide. The breach affected patients in Texas (4,082 individuals), Massachusetts (6,562), South Carolina (2,989), and Washington (802), and included both personally identifiable information (PII) and protected health information (PHI).

Exposed data may include:

• Names and addresses
• Social Security numbers
• Dates of birth
• Medical record numbers
• Treatment details, diagnoses, medications, images, doctors' names, and test results

Affected patients are being offered 24 months of free Experian IdentityWorks Credit Plus 3B, which includes credit monitoring, identity theft insurance, and dark web surveillance.

What was said

Cerner has not disclosed how many healthcare facilities were involved or whether the attacker used known vulnerabilities in the legacy systems. However, the company has stated it is working with affected institutions to notify patients and mitigate risks. Notices were also sent to the attorneys general of California, Massachusetts, South Carolina, Texas, and Washington.

Oracle Health’s official website provides additional details about support services and recommended next steps for those affected.

FAQs

What are legacy systems, and why are they more vulnerable to breaches?

Legacy systems are outdated software or hardware platforms that may no longer receive regular security updates. In healthcare, they often remain in use due to the complexity of migrating large datasets or maintaining compatibility with existing hospital systems.

How does Oracle Health’s breach notification process work?

Oracle Health notifies affected individuals by mail and reports to the relevant state attorneys general. These notices include details about the type of data exposed and available support services like credit monitoring.

What should victims do if they suspect someone is using their medical identity?

Individuals can request a copy of their medical records from their provider, look for unfamiliar entries, and contact their insurer about suspicious claims. If needed, victims can file a complaint with the HHS Office for Civil Rights.