Shadow Tier cyber intelligence
Back to overview
Oracle logo
oracle.com
Oracle
Confidence HighJan 22, 2025oracle.com

Oracle Health (Cerner) Legacy Server Breach

PatternExternal actor · Hacking · Confidentiality impact

In a separate incident from the Oracle Cloud breach, Oracle Health (formerly Cerner), a provider of electronic health record (EHR) systems, experienced a data breach. A hacker reportedly used stolen credentials to access legacy servers that had not yet been migrated to Oracle Cloud, leading to the exfiltration of healthcare records from various hospitals in the United States. The incident began on January 22, 2025, and Oracle first noticed the breach on February 20, 2025. The attacker is allegedly extorting Oracle Health customers, demanding cryptocurrency payments to withhold publishing the stolen data, which likely includes protected health information.

Signal date
Jan 22, 2025
Updated
Jun 19, 2026
Confidence
High
Sources
1 source
oracle.com logo

Oracle

Sector
Health Care and Social Assistance
Signals
1 linked
Scan this company

Signal context

First seen: Jan 22, 2025

Last updated: Jun 19, 2026

Status: Public signal

Key points

  • Hacker accessed legacy Oracle Health (Cerner) servers using stolen credentials.
  • Healthcare records from multiple U.S. hospitals were stolen.
  • The breach involved legacy systems not yet migrated to Oracle Cloud.

Signal analysis

Beta

This analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.

Affected organization
Oracle logo
Oracle

Sector: Health Care and Social Assistance

Likely country: 🇺🇸 United States

inferred from signal text

    Estimated
    Threat source
    Hacking activity

    Watch internet-facing systems, credential abuse and exploit activity.

    • Source type: outside the affected organization
    Business impact
    Potential data exposure

    Impact area: Confidentiality

    Likely asset: User or customer data, Server or cloud data store

    Trend context
    69 signals with similar action pattern
    • 6 signals in the same sector
    • 90 signals with the same likely impact area
    • 1 signal linked to this organization/domain
    Mentioned entities
    OracleData DisclosureOracle HealthCernerOracle CloudEHRUnited States. TheOracleHackerHealthcare

    External sources

    Related signals

    Grouped by why the signal is relevant.

    oracle.com logoOracleJun 10, 2026
    Same companySame action patternSame impact area

    Oracle PeopleSoft Zero-Day Exploited by ShinyHunters, Advisory Published

    Oracle published a security advisory on June 10, 2026, for CVE-2026-35273, a critical remote code execution flaw in PeopleSoft Enterprise PeopleTools. This vulnerability was actively exploited as a zero-day by the ShinyHunters cybercrime group in a campaign that ran from May 27 to June 9, 2026. The attacks compromised over 100 organizations, primarily colleges and universities, leading to data theft.

    huntsvillehospital.org logoHuntsvillehospitalJun 26, 2026
    Same sectorSame action patternSame impact area

    Huntsville Hospital Health System Notifies Patients of Data Exposure from Cerner Breach

    Huntsville Hospital Health System informed patients on June 26, 2026, about a data exposure stemming from a 2025 breach on Cerner's (now Oracle Health) legacy systems. The breach, which occurred on January 22, 2025, exposed personal and medical information. Cerner had notified its healthcare clients, including Huntsville Hospital, on August 12, 2025, but patient notification was delayed at the request of law enforcement.

    aclapc.com logoAclapcJun 23, 2026
    Same sectorSame action patternSame impact area

    ACLA Data Breach Exposes Social Security Numbers and Medical Information

    Anatomic and Clinical Laboratory Associates P.C. (ACLA) disclosed a data breach involving unauthorized access to its computer network. The breach, discovered in December 2025, exposed personally identifiable information (names, dates of birth, Social Security numbers, taxpayer identification numbers) and protected health information (medical dates of service, diagnoses, medical history) for 69 Massachusetts residents.

    kmha.org logoKmhaJun 19, 2026
    Same sectorSame action patternSame impact area

    Kentucky Mountain Health Alliance Discloses Data Breach Affecting SSNs and Medical Records

    Kentucky Mountain Health Alliance Inc., a nonprofit health center, disclosed a data breach to the Massachusetts Office of Consumer Affairs and Business Regulation on June 19, 2026. The incident involved unauthorized access to patient data, some of which was copied. The exposed information included driver's licenses, medical records, and Social Security numbers. The specific method of attack, dates of the incident, or discovery date remain unknown. The organization is offering affected individuals a free, two-year membership to identity monitoring services.

    hfmgt.com logoHfmgtJun 18, 2026
    Same sectorSame action patternSame impact area

    Horizon Family Medical Group Data Breach

    Reports emerged on June 18, 2026, of a possible data breach at Horizon Family Medical Group, a medical provider in New York's Hudson Valley region. Threat actor Incransom claimed to have stolen 7 TB of data, including medical information such as diagnoses, prescriptions, treatments, and lab results.

    irhythmtech.com logoIrhythmtechJun 8, 2026
    Same sectorSame action patternSame impact area

    iRhythm Confirms Data Stolen in Cyberattack, Ransom Demanded

    Digital health company iRhythm Holdings confirmed a cyberattack involving certain third-party-hosted business applications. The company learned of the breach on June 8, 2026, which resulted in the theft of patient protected health information, proprietary data, and other personal data. Attackers subsequently demanded a ransom.