Oracle Health (previously called Cerner Corporation) has not yet published the number of people affected by the data breach it experienced. However, according to the breach notifications given to state attorneys general, over 14,480 individuals were confirmed as impacted, though the precise total is without doubt bigger.
Though various states publicize their breach notification letters, not many make known the number of affected individuals, including South Carolina, Texas, Washington, and Massachusetts. Besides those states, California has publicized Oracle Health’s breach notice, but California didn’t say how many people were affected.
- California – Not known
- Washington – 802 affected State residents
- South Carolina – 2,989 impacted State residents
- Texas – 4,082 affected State residents
- Massachusetts – 6,562 impacted State residents
Total: A minimum of 14,485 individuals
Oracle Health said in the past that it is the job of each impacted HIPAA-covered entity to find out if there was a breach that calls for the submission of a report to the HHS’ Office for Civil Rights (OCR). Consequently, the affected covered entity customers are probably gonna file the breach report themselves to OCR in compliance with HIPAA rules. This makes it difficult to find out the number of impacted people.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security alert in April 2025 regarding the verified Oracle data breach. As per Oracle, an unauthorized person obtained access to its cloud environment, but the medical care provider gave minimal information concerning the incident. It was reported that threat actor actions focused on Oracle customers, although the extent of that activity was not mentioned.
The breached data consists of email addresses, usernames, authentication tokens, passwords, and encryption keys. Because of the compromised data, enterprise environments are in danger. CISA advises Oracle clients to take action to defend against unauthorized access and remarks that when credential material is embedded into scripts, software, infrastructure templates, and automation software, it can be challenging to identify. Without taking action, unauthorized actors can likely use credential material for continuous access to business settings.
Compromised credentials have a risk, since threat actors usually collect and use credentials. The stolen information from past breaches may be marketed to other threat actors and can be used to execute phishing or BEC attacks. Valid credentials may be utilized to elevate privileges and move laterally inside systems or gain access to cloud and identity management solutions.
The advised mitigations include resetting passwords through enterprise servers, primarily in circumstances where local credentials could not be federated via enterprise identity solutions. Source code ought to be assessed, together with infrastructure as configuration files, automation templates, and code templates, to determine embedded credentials, which ought to be changed with safe authentication strategies. Authentication records must be checked for anomalous activity, specifically for privileged, service, or federated identity accounts, and when possible, phishing-resistant multifactor authentication ought to be enforced, specifically for manager accounts.
