Oracle has reportedly experienced not one, but two data breaches in a matter of weeks, which they’ve apparently downplayed and/or failed to disclose.

In the first one, reported by BleepingComputer here, a breach at Oracle Health impacted multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. in private communications sent to impacted customers and from conversations with those involved, BleepingComputer says it confirmed that patient data was stolen in the attack.

In a notice sent to impacted customers and seen by BleepingComputer, Oracle Health said it became aware of a breach of legacy data migration servers on February 20, 2025.

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” reads a notification sent to impacted Oracle Health customers.

Oracle says that the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. This stolen data “may” have included patient information from electronic health records.

However, multiple sources told BleepingComputer that it was confirmed that patient data was stolen during the attack.

Oracle Health is also telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPAA laws and whether they are required to send notifications.

However, the company says they will help identify impacted individuals and provide templates to help with notifications.

Of course, as noted by The HIPAA Journal, a class action lawsuit has been filed against Oracle by a Florida resident in the U.S. District Court for the Western District of Texas over the breach.

The second of two data breaches (also reported by BleepingComputer) involved what Oracle described as “two obsolete servers.”

“Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” Oracle says in a customer notification shared with BleepingComputer.

Since the incident surfaced in March, when a threat actor (rose87168) put up 6 million data records for sale on BreachForums, Oracle has consistently denied reports of an Oracle Cloud breach in statements shared with the press. While this is admittedly true as it matches what Oracle is telling customers—that the breach impacted an older platform, Oracle Cloud Classic—this is merely wordsmithing, as cybersecurity expert Kevin Beaumont said.

“Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident,” Beaumont said. “Oracle are denying it on ‘Oracle Cloud’ by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.”

Two data breaches in three months is not a good start to the year for Oracle. It will be interesting to see if any more information is disclosed about these breaches.

So, what do you think?  Could Oracle have handled these breaches better? Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Warner Bros. See what I did there? 😉

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.