Two Breaches, One Troubling Pattern
In March 2025, two separate but equally alarming data breaches involving Oracle came to light.
- Alleged Oracle Cloud Legacy Database Breach
A hacker operating under the alias “rose87168” claimed to have compromised over six million records from more than 1,000 organizations by breaching Oracle’s legacy database. According to initial reports, the stolen data included SSO and LDAP tokens, which are used for user authentication.
- Oracle Health / Cerner Data Breach
Around the same time, Bleeping Computer reported a second breach—this one impacting Oracle Health (formerly Cerner, which was acquired by Oracle in 2021). The incident reportedly involved unauthorized access to patient data on legacy Cerner data migration servers.
Oracle’s Concerning Denial of the Cloud Breach
In an interesting turn of events, Oracle categorically denied any breach of its cloud systems. A company spokesperson told Bleeping Computer:
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
This prompted “rose87168” to double down and release alleged samples of compromised data to support their claims.
Many doubt Oracle’s denial. Cyber intelligence company CloudSEK released a report claiming to have evidence confirming the breach occurred. Separately, Bleeping Computer stated it contacted representatives from impacted companies who have also confirmed the breach’s authenticity.
The discrepancy may lie in Oracle’s wording. The hacker specifically referred to a “legacy database”, which may not fall under Oracle’s definition of “Oracle Cloud.” If true, Oracle’s statement could be technically accurate—but still misleading. Time will tell.
Oracle Fumbles the Cerner Legacy Breach
The Oracle Health/Cerner breach presents a different set of problems—this time in Oracle’s response and transparency.
Suspicious Notification Tactics
According to Bleeping Computer, customers impacted by the Oracle Health/Cerner breach did receive notice, which stated:
“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud.”
However, the notice lacked Oracle’s official letterhead, raising concerns about its authenticity.
Incredibly, Oracle also reportedly advised customers not to contact them via email and instead requested phone-only communication, limiting written documentation of the breach.
On top of that, Oracle has declined to notify affected individuals directly, despite holding the patient records in question. Instead, the company says it will “assist” its customers in identifying and notifying those impacted—a tactic that could significantly delay patient awareness (more on that below).
How Oracle’s Handling of the Breach Harms Impacted Individuals
Oracle’s handling of these breaches reveals systemic problems—not just in its data security, but in how the company chooses to remediate the fallout.
- Downplaying or Misleading Language
Oracle’s immediate denial of a cloud breach appears premature at best—or deceptive at worst.
Given how quickly Oracle publicly claimed its cloud was not breached, it’s doubtful the company conducted a thorough audit or investigation. Worse, if Oracle is playing loose with phrasing—asserting Oracle Cloud was not breached while failing to disclose that its legacy database was—that’s outright misleading.
In either case, such a quick denial is likely to mislead impacted customers (i.e., entities using Oracle Cloud), as well as individuals whose personal data may be compromised.
That’s especially dangerous if the breach poses an ongoing threat. Affected parties may need to take immediate action, such as changing credentials or monitoring for suspicious activity. Oracle should have stated it was investigating the possibility of a breach, rather than engaging in premature damage control.
- Poor Breach Response Protocols
Oracle’s response to the Oracle Health/Cerner breach reflects a lack of urgency and clarity.
- Omitting Its Letterhead: Customers may doubt the authenticity of communications that lack corporate branding. Whether intentional or accidental, this omission could lead recipients to believe the message is a phishing attempt, delaying their response.
- Opting for Telephone Communication: A key principle in breach response is transparency. Companies need to clearly and publicly communicate what happened. Oracle’s decision to rely on phone-only contact—likely to avoid a paper trail—makes it appear the company is more interested in reputation management than helping customers.
- Refusing to Notify Affected Individuals Directly: Oracle Health maintains patient records and is in the best position to notify those impacted. By pushing that burden onto its clients, Oracle slows down the notification process. Smaller entities may take longer to identify and contact affected individuals, delaying their ability to take protective measures.
Final Takeaway
These two back-to-back breaches paint a troubling picture. Oracle appears more focused on protecting its image than helping the people whose data was compromised due to poor security practices.
Worried You Were Impacted?
If you believe your personal or patient information was affected by either of these Oracle breaches, contact us for a free consultation using the form below. You can also contact Amanda Fiorilla directly at afiorilla@lowey.com.