Oracle grapples with dual data breaches

One targeting health services, the other hitting Oracle Cloud

Oracle is dealing with the fallout of a double data breach — one exposing patient data at US hospitals, and another raising concerns about its cloud security.

Reports over the weekend suggest a breach at Oracle Health, formerly known as Cerner, has impacted multiple US healthcare organisations and hospitals. Threat actors are believed to have stolen patient data from legacy servers during the attack.

In a notice seen by BleepingComputer, Oracle Health said the attackers had accessed Cerner data stored on an old server that had not yet been migrated to Oracle Cloud.

Oracle Health informed affected customers that it became aware of the breach on 20^th February, after detecting unauthorised access to its legacy Cerner data migration servers.

While Oracle has yet to release an official statement on the matter, sources who spoke to BleepingComputer confirmed that patient information from electronic health records was stolen and copied to a remote server.

The FBI has launched an investigation into the breach, Bloomberg News reported on Friday, citing sources familiar with the matter.

Lingering questions from earlier breach reports

This Oracle Health breach follows earlier reports of another security incident involving Oracle Cloud’s federated Single Sign-On (SSO) infrastructure.

In mid-March, a threat actor going by the alias “rose87168” claimed to have stolen six million records from Oracle’s Cloud SSO login service, including encrypted SSO passwords and LDAP authentication data.

CloudSEK, a cybersecurity firm, attributes the alleged breach to an unpatched vulnerability in Oracle Fusion Middleware 11g, a platform the firm claims stopped receiving updates in 2014.

The attacker reportedly exploited this flaw to access the login endpoint login.us2.oraclecloud.com, which remained active until 17^th February this year.

Oracle initially denied a breach, stating that the leaked credentials were unrelated to its cloud services. However, CloudSEK’s investigation found evidence supporting the attacker’s claims, including leaked tenant domains linked to real Oracle Cloud users and archived GitHub repositories tied to affected systems.

The breach could affect up to 140,000 organisations globally and might expose authentication data attackers could use to breach interconnected systems, CloudSEK warned.