{"id":2562,"date":"2025-04-01T13:09:52","date_gmt":"2025-04-01T13:09:52","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2562"},"modified":"2025-04-01T13:09:52","modified_gmt":"2025-04-01T13:09:52","slug":"oracle-warns-customers-of-health-data-breach-amid-public-denial","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2562","title":{"rendered":"Oracle warns customers of health data breach amid public denial"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Oracle\u2019s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers\u2019 sensitive data, the company told some of its customers.<\/p>\n

While Oracle has so far declined to publicly acknowledge the data breach and a separate one that came to light last week, Oracle Health, in private letters sent to impacted customers, has said that it is aware of a breach of legacy Cerner data migration servers, according to a Bleeping Computer report<\/a>.<\/p>\n

Oracle Health was formed after the database firm acquired Cerner Corp, an electronic health records (EHR) business, for $28 billion in 2022 in a bid to bring the legacy healthcare software to the cloud.<\/p>\n

\u201cWe are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,\u201d Oracle reportedly said in the letters.<\/p>\n

Although unrelated to last week\u2019s alleged Oracle Cloud breach<\/a>, the Oracle Health incident raises serious concerns about the company\u2019s security practices, particularly in safeguarding sensitive customer PII.<\/p>\n

FBI to investigate the matter<\/strong><\/h2>\n

The FBI is investigating the Oracle Health breach and attempts made by attackers to extort affected medical providers, according to a Bloomberg report<\/a>.<\/p>\n

\u201cHackers broke into Oracle Corp.\u2019s computer systems and stole patient data in an attempt to extort multiple medical providers in the US,\u201d the report said citing a person in the know. \u201cIt\u2019s unknown how many patients\u2019 records were taken. The total number of health-care providers that the hackers have sought to extort is also uncertain\u201d.<\/p>\n

While the letter suggests the breach affected Cerner data before they were uploaded to Oracle Cloud and that it is an entirely unrelated incident, the same can\u2019t be said in full confidence given the timing of the two incidents and the fact that the health data breach was done with stolen logins.<\/p>\n

\u201cAvailable evidence suggests the threat actor illegally accessed the environment by using stolen customer credentials,\u201d the letter reportedly added.<\/p>\n

Oracle and the FBI office did not respond to requests for comments.<\/p>\n

Oracle isn\u2019t budging on Cloud breach denial<\/strong><\/h2>\n

Cybersecurity firm CloudSEK first reported the cloud breach involving a threat actor \u201crose87168\u201d selling six million records exfiltrated from single-sign-on (SSO) and Lightweight Directory Access Protocol (LDAP) of Oracle Cloud.<\/p>\n

While Oracle quickly denied the breach to media outlets, data shared as samples from the breach were validated by several Oracle customers. Additionally, the threat actor posted an archive.org URL (http:\/\/login.us2.oraclecloud.com) and demonstrated to the cybersecurity news channel Bleeping Computer they had write access to login.us2.oraclecloud.com, a login service using Oracle Access Manager.<\/p>\n

Oracle has since requested<\/a> Wayback Machine (Archive.org) to take down the archived URL. Independent cybersecurity researchers<\/a> are taking to the internet to criticize Oracle\u2019s efforts at coverup. Meanwhile, the threat actor posted<\/a> a long video of an internal Oracle meeting, presumably from the breach, solidifying their claims.<\/p>\n

\u201cIn cybersecurity, denial doesn\u2019t neutralize the danger, transparency does,\u201d CloudSEK co-founder and CEO Rahul Sassi told CSO. \u201cThis investigation is not about blame, it\u2019s about accountability. It\u2019s about empowering every security team, every customer, and every vendor in the supply chain to act before attackers do.\u201d Affected data from the breach included JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys, according to CloudSEK<\/a>. While SSO passwords could be cracked with other breached files, LDAP passwords were encrypted and the threat actor, in their post<\/a>, sought help with decoding them in exchange for some compromised data.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Oracle\u2019s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers\u2019 sensitive data, the company told some of its customers. While Oracle has so far declined to publicly acknowledge the data breach and a separate one that came to light last week, Oracle Health, in private letters sent to impacted customers, has said […]<\/p>\n","protected":false},"author":0,"featured_media":2563,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2562"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2562"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2562\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2563"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}