Oracle has told some of its Cerner customers in the US that hackers have stolen data from ‘legacy servers’ but so far isn’t publicly acknowledging the breach.
Oracle in the US has notified some of its healthcare customers that some time after 22 January hackers breached their servers and stole patient data with the likely intent of extortion.
According to a report in Bleeping Computer Oracle Health sent private letters to multiple impacted customers in hospitals and other healthcare organisations, saying that it was aware of a breach of legacy Cerner data migration servers.
Bleeping Computer quoted the letter:
“We are writing to inform you that, on or around 20 February 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud.”
The company warned customers in the letter that stolen data may include patient information from electronic medical records and that the compromised information contained recent records as well.
The FBI is now involved in investigating the incident after ransom demands involving the data were apparently made to some affected customers, something that has so far not been confirmed by Oracle.
Oracle’s Cerner EMR is deployed across major hospitals in Australia in Queensland, NSW and Victoria.
There is no suggestion that any of these instances have been attacked or are under imminent threat. If such an attack had occurred on Australian Cerner servers, the company would be required by law to report the incident in detail to the Australian Cyber Security Centre and to customers.
Oracle said that the attacks occurred on customer instances which had not been migrated to Oracle Cloud servers.
Most instances in Australia have not been migrated to Oracle Cloud either but apparently the attacks were facilitated by hackers getting access to stolen customer credentials, presumably customers specific to US instances of healthcare servers.
It has so far not been explained how a customer’s credentials could have allowed the theft of data from multiple organisations in that country.
Further, and in respect to security on Oracle Cloud servers in general, the incident follows hot on the heels of an alleged breach of Oracle Cloud’s federated SSO login servers in which a hacker claimed they had stolen authentication data for six million people. The hacker apparently uploaded an archived copy of file data to Oracle servers containing people’s email addresses.
According to a report in Information Age, the hacker shared a list of victims which contained over 1600 Australian domain names, including Telstra, Optus, NBN Co, Westpac, Sportsbet, Australian Securities Exchange (ASX), Coles, Woolworths, Carsales.com.au, Kogan, BigPond, Wilson Parking, Bunnings, Origin Energy, Blackmores, Red Balloon, Yahoo Australia, Qantas, NAB, Choice, Kmart, Deloitte, MyNRMA, HSBC Australia, The Star, Dymocks, Suncorp, Boral, and EnergyAustralia.
Oracle has refuted the incident, releasing a public statement saying there has been “no breach of Oracle Cloud” whatsoever.
“The published credentials are not for the Oracle Cloud,” a spokesperson said in the statement.
“No Oracle Cloud customers experienced a breach or lost any data.”
In late 2023 the Australian government announced that it would be building a new Oracle Cloud for Australian government and Defence in Canberra which would offer the Australian government a highly secure hyperscale cloud platform that allows government customers to build and run applications.
This cloud instance is physically isolated from Oracle’s other public and government cloud regions and shares no backbone connections with them, including the existing Sydney and Melbourne public regions that are available to all Oracle Cloud customers.
Bleeping Computer reported that some of the hospitals impacted in the US by the Cerner hack are being extorted by a threat actor demanding millions of dollars in cryptocurrency, and, that some customers were becoming very frustrated with the transparency around Oracle’s response, and a lack of clear guidance on how to respond to the incident.