Data breach at Oracle Health leads to extortion of hospitals
A legacy server at Oracle Health has reportedly been breached, and patient data was stolen by cybercriminals. The story leaked to the media before the health IT company notified the public, with multiple hospitals and health systems reportedly impacted.
Citing “private communications sent to impacted customers and from conversations with those involved,” BleepingComputer was the first to report the news on Friday. Bloomberg confirmed the story, adding that the FBI is investigating.
Notifications sent to customers, seen by both outlets, said the data breach was discovered “on or around” Feb. 20, with hackers gaining access to “some amount” of Cerner data that was stored on a server that had yet to be “migrated to the Oracle Cloud.”
Cerner was the previous entity under which Oracle Health operated before being acquired by Oracle Corporation, the current parent company, in June 2022. The core business of providing EHR services has remained intact.
The old server, still apparently connected to the Oracle network, was accessed using stolen login credentials, the company confirmed.
The nature and extent of the breach is still being investigated, both internally and by federal authorities. In communications with affected hospitals and healthcare entities, Oracle said it will not be notifying patients directly, passing the responsibility of determining if compromised data was protected under HIPAA laws. However, the company added, it will identify impacted individuals and aid in the notification process, if necessary.
Questions remain, such as whether or not ransomware was deployed and how stolen credentials were used to access data from multiple entities.
According to BleepingComputer’s report, impacted hospitals have since been extorted by a cybercriminal calling himself “Andrew,” who demanded millions of dollars in cryptocurrency, threatening to put stolen data up for sale on the dark web if payment was not received. However, cited sources said the actor has not claimed affiliation with any known cybercrime syndicate.
The outlet also said customers have expressed frustration with Oracle’s lack of transparency about the incident. Further, it isn’t clear if the data breach was a single attack or a result of multiple incidents.
As of Monday, there was no data for sale on dark web markets.
This is a developing story. HealthExec has reached out to Oracle for comment.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.