Two women have filed a class-action lawsuit against Oracle Health, accusing the company of failing to protect sensitive patient information during a recent cyberattack that allegedly compromised data from several U.S. hospitals.
The complaint, filed in the U.S. District Court for the Western District of Missouri on April 11, alleges that hackers accessed Oracle’s legacy Cerner servers — which had not yet been migrated to Oracle Cloud — using stolen customer credentials. The breach, which Oracle discovered around Feb. 20, exposed names, Social Security numbers, clinical testing results and other protected health information, according to the filing obtained by Becker’s.
The lawsuit claims Oracle failed to properly secure and monitor its systems after acquiring electronic health record vendor Cerner for $28.3 billion in 2022 and integrating it into its health division.
One hacker, identified only as “Andrew,” has reportedly demanded millions in cryptocurrency to avoid leaking the stolen data, according to BleepingComputer. Oracle, based in Austin, Texas, has denied that a breach occurred, despite multiple online reports suggesting otherwise and a separate alleged breach of Oracle Cloud’s federated login system.
The plaintiffs — Rebecca Blount of Arizona and Cheryl McCulley of California — claim Oracle failed to notify impacted individuals and hospitals, and assert that the company’s response has been inadequate. The lawsuit also accuses Oracle of violating several federal and state laws, including HIPAA, the FTC Act and multiple California privacy laws.
Ms. Blount and Ms. McCulley said they were never informed of the breach directly by Oracle. Both allege they now face ongoing risks of identity theft and financial fraud, and have already incurred costs related to protecting their information.
The suit seeks monetary damages and calls for Oracle to implement stronger security measures. It also demands transparency from Oracle about what happened and how it will prevent similar incidents in the future.
Oracle Health has not yet responded publicly to the lawsuit.
Becker’s has reached out to Oracle Health and will update the story if more information is learned.
