In January 2025, Oracle Health, which acquired Cerner and its electronic health record (EHR) system in 2022, experienced a hacking incident involving legacy Cerner patient data.
What happened
According to reports from Bleeping Computer, hackers accessed legacy servers on January 22, 2025, using compromised customer credentials. The attackers exfiltrated copies of patient data, intending to extort multiple U.S. medical providers. Oracle Health discovered the incident on February 20, 2025, but opted not to send breach notifications to affected individuals on behalf of clients.
Instead, Oracle covers the costs of credit monitoring and uses a mailing vendor for notification services. Oracle Health reportedly directed affected customers to communicate only with its Chief Information Security Officer (CISO) by phone rather than email, which has drawn criticism for a lack of transparency.
The FBI is actively investigating the breach.
In the know: Why IT services and software vendors are targeted
Vendors act as gatekeepers to vast amounts of protected health information (PHI) and operational systems, making them high-value targets. The 2024 Change Healthcare cyberattack demonstrated how a single breach at a major IT vendor could cripple billing systems, delay patient care, and disrupt operations across countless healthcare providers. Threat actors recognize that compromising a vendor provides leverage to exploit multiple clients simultaneously, amplifying the impact of their attacks.
Many vendors manage Internet of Medical Things (IoMT) devices and cloud platforms, which often contain unpatched vulnerabilities. According to Palo Alto Networks, 75% of medical infusion pumps have known security gaps, and third-party vendors supporting these devices have become weak links.
What was said
According to Bleeping Computer, “Sources have told BleepingComputer that the impacted hospitals are being extorted by an individual threat actor going by the name "Andrew" who has not claimed affiliation with any known ransomware or extortion groups.
The threat actor is demanding millions of dollars in cryptocurrency to prevent the leak or sale of stolen data and has created clearnet websites about the breach as a way to pressure the hospitals.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What must be included in a business associate agreement?
A BAA must specify the permitted uses and disclosures of PHI, require safeguards to protect PHI, mandate breach reporting, and ensure compliance with patient requests for access or amendments to PHI.
Can a business associate self-certify compliance?
No, business associates must enter into a BAA with covered entities to ensure compliance. Self-certification or third-party certification is not permissible under HIPAA.
What are the responsibilities of a business associate?
Business associates must implement safeguards to protect PHI, report breaches, and comply with requests for access or amendments to PHI.
Kirsten Peremore
