By Jeff Wardon, Jr., Assistant Editor

Oracle Health fell victim to a data breach that is now rippling across healthcare organizations.  

The attack occurred after a hacker stole patient data from legacy Cerner servers that hadn’t been migrated to Oracle Cloud, BleepingComputer reports. The attack was detected on February 20, 2025, and was carried out via use of compromised customer credentials sometime after January 22, 2025. Data that was stolen may have included patient records. 

The hacker, using the alias "Andrew," is extorting hospitals for millions in cryptocurrency and has created public websites about the breach, BleepingComputer reports. It is unclear whether ransomware was involved. 

According to The HIPAA Journal, Oracle has yet to make an official statement regarding the breach, but people familiar with the matter have said that the company has reached out to healthcare providers whose information may have been compromised.  

Related Content: Third-Party Vendors and Networks Pose Risks for Healthcare Cybersecurity

The healthcare industry currently makes up 41.2 percent of third-party breaches, according to a Black Kite report. Reliance on vendors to handle a high value of patient data has largely been to blame for the increase in attacks.  Because of this, cyber criminals have deemed that healthcare facilities are often willing to “pay more,” Eric O’Neill, former counterterrorism and counterintelligence operative for the FBI, previously told Healthcare Facilities Today. 

“They are perceived as generally paying because patient care suffers when systems go down,” says O’Neill. “Cyber attackers also know that the healthcare industry maintains very critical data that can cause massive reputation-related harm and severe downstream damage in identity theft. Because of this, they're perceived as being more likely to pay to get their data back or for the cybercriminal to destroy the data and not publish it on the dark web.” 

Additionally, the U.S. government has extended the national emergency for cyberattacks from foreign sources for another year beyond April 1, 2025, according to the Federal Register. The declaration originally came on April 1, 2015, due to the growing threat of such attacks. Since then, several executive orders have been issued to address the problem due to cyber threats posing a risk to national security, foreign policy and the economy. 

Jeff Wardon, Jr., is the assistant editor for the facilities market.