Yes, customer information was exposed through multiple Oracle data breaches in 2025, triggering a $115 million privacy settlement approved by the Ninth Circuit Court of Appeals on February 13, 2026. The exposure involved three separate incidents affecting different Oracle systems, ranging from health records in hospitals to cloud infrastructure data impacting over 140,000 organizations. Oracle’s systems were breached through security vulnerabilities and exploited without the company implementing timely fixes, leaving millions of records exposed to unauthorized access. The settlement addresses a broader privacy complaint where Oracle allegedly captured, compiled, and sold individuals’ online and offline data to third parties without proper consent. This goes beyond the 2025 breach incidents—it involves Oracle’s data collection practices overall.
With the Mandate filed on March 31, 2026, the settlement is expected to become effective within months, meaning affected customers may become eligible for compensation depending on how they were harmed. The three separate breaches of 2025 have different implications for different groups of people. If you received healthcare at one of the 80 hospitals affected by the Oracle Health/Cerner breach, your medical records may have been exposed. If you used Oracle Cloud services, your data may have been compromised through the cloud infrastructure breach. If you worked for one of the 100+ companies hit by the Cl0p campaign targeting Oracle E-Business Suite, your company’s data was potentially exfiltrated.
Table of Contents
- WHAT WAS EXPOSED IN ORACLE’S 2025 DATA BREACHES?
- THE PRIVACY SETTLEMENT AND WHAT IT COVERS
- THE HEALTHCARE DATA EXPOSURE AND PATIENT RECORDS
- WHAT CUSTOMERS SHOULD DO AFTER THESE BREACHES
- THE RISKS AND WARNING SIGNS OF BREACH-RELATED IDENTITY THEFT
- OTHER COMPANIES AND ORGANIZATIONS AFFECTED
- LONG-TERM IMPLICATIONS AND FUTURE OUTLOOK
- Conclusion
WHAT WAS EXPOSED IN ORACLE’S 2025 DATA BREACHES?
Three distinct security incidents compromised Oracle customer data in 2025, each affecting different user populations and data types. The Oracle Health breach, stemming from a vulnerability identified around January 22, 2025, affected approximately 80 hospitals and health systems using Oracle’s Cerner platform. While the exact number of patient records remains unconfirmed by Oracle, the breach touched sensitive health information including medical histories, diagnoses, treatment records, and potentially social security numbers stored in patient databases. The Oracle Cloud breach was significantly larger in scale, with approximately 6 million records discovered to be compromised across more than 140,000 Oracle Cloud tenants. This breach exploited weaknesses in Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, allowing attackers to gain unauthorized access to customer environments.
A FINRA cybersecurity alert was issued warning about the potential data breach exposure. The breach affected organizations across financial services, technology, healthcare, and other industries, making this one of the most broadly impactful Oracle incidents of 2025. The third major incident involved the Oracle E-Business Suite, where over 100 companies were targeted through a Cl0p extortion campaign beginning November 20-21, 2025. Of those 100+ companies, 29 had their data actively exfiltrated by attackers. Major organizations affected included Cox Enterprises, Harvard University, and numerous other enterprises. This breach exploited a zero-day vulnerability in Oracle E-Business Suite that Oracle had not yet patched, giving attackers a window to extract databases, files, and proprietary information.
THE PRIVACY SETTLEMENT AND WHAT IT COVERS
The $115 million settlement fund addresses Oracle’s broader data practices, not just the 2025 breaches. The class action lawsuit alleges that Oracle improperly captured personal data about individuals from both online and offline sources, then compiled this data and sold it to third parties without obtaining proper consent. This is a more comprehensive complaint than a single breach—it involves how Oracle built and monetized data about consumers without their knowledge or agreement. The legal victory came when the Ninth Circuit Court of Appeals affirmed the settlement on February 13, 2026, after the Mandate was filed on March 31, 2026. This appellate court approval is significant because it means the settlement survived legal challenges and review by a higher court, suggesting the claims have substantial merit.
However, there’s a limitation to note: the exact structure of how payouts will be distributed is determined during the claims process. Some class members may receive cash payments, others may receive account credits or monitoring services, depending on their level of exposure and how claims are approved. The settlement becoming effective within months of the March 31 filing date means the window for claiming compensation will open relatively soon. People affected by the breaches or data practices will need to file claims proving their injury—whether through identity theft, compromised medical information, or unauthorized sale of personal data. The challenge is that not everyone affected will qualify for equal compensation; courts typically weight payouts based on the severity of impact and evidence of harm.
THE HEALTHCARE DATA EXPOSURE AND PATIENT RECORDS
The Oracle Health breach is particularly concerning because it directly exposed protected health information (PHI) covered under HIPAA regulations. Health records contain some of the most sensitive personal information people have, including their medical conditions, medications, mental health treatment, and genetic information. The breach affected approximately 80 hospitals, meaning patients at major healthcare systems using Oracle’s Cerner platform faced exposure of their complete medical histories. The timeline of the breach shows an important security gap: the breach occurred around January 22, 2025, but wasn’t identified until approximately February 20, 2025. This month-long gap meant that attackers had roughly four weeks to potentially access, copy, or exfiltrate patient records before Oracle was even aware of the compromise.
For a hospital system, even one day of undetected unauthorized access is concerning; a four-week gap represents a significant security failure. Patient records typically include names, dates of birth, insurance information, diagnoses, treatment plans, and medication lists—all data that could be used for identity theft or sold to pharmaceutical companies. Unlike a typical data breach where a company discovers the breach and immediately notifies patients, this situation involved Oracle’s Cerner system, which is embedded in hospital operations. Individual hospitals may still be determining the full scope of which patient records were accessed, making it uncertain exactly how many people are ultimately affected. Patients at these facilities should assume their health information was exposed and should monitor their medical records and credit reports for signs of identity theft or fraudulent healthcare claims filed in their names.
WHAT CUSTOMERS SHOULD DO AFTER THESE BREACHES
If you were a patient at one of the 80 affected hospitals, an Oracle Cloud customer, or worked for one of the companies hit by the Cl0p breach, you should take immediate protective steps. First, place a fraud alert with the credit bureaus (Equifax, Experian, TransUnion) by contacting one bureau, which will then notify the others. This alert warns creditors that you may be a fraud victim and that they should verify your identity before opening new accounts. The fraud alert is free and typically lasts one year, though you can renew it. Second, review your credit reports at annualcreditreport.com for unauthorized accounts or inquiries you don’t recognize. For healthcare data specifically, request a copy of your health records from the affected hospital(s) and carefully review them for errors or signs of fraudulent treatment. Monitor your Explanation of Benefits statements from your insurance company to ensure no claims are being filed for medical services you didn’t receive.
If you notice fraudulent claims, contact your insurance company immediately and file a complaint with your state’s medical board. Additionally, consider placing a credit freeze with all three credit bureaus, which prevents creditors from opening accounts in your name without your explicit permission. A freeze costs little or nothing in most states and is stronger protection than an alert. You should also watch for the settlement claims process opening. Once the Oracle settlement becomes effective (expected within months of March 31, 2026), there will be a deadline to file a claim for compensation. You’ll likely need to prove your exposure—for example, providing hospital records showing you were a patient during the breach window, or documentation that you held an account with an affected Oracle Cloud tenant. Missing the claims deadline means losing the right to compensation, as courts typically do not extend deadlines for class action settlements except in rare circumstances. Set a reminder or check settlement websites regularly for claim filing information.
THE RISKS AND WARNING SIGNS OF BREACH-RELATED IDENTITY THEFT
Identity theft can take weeks or months to manifest after a data breach, giving criminals time to use stolen information. The most common warning sign is unexpected calls from creditors about accounts you don’t recognize, or credit card statements showing purchases you didn’t make. However, because the Oracle breaches exposed such varied information—health records, cloud infrastructure credentials, corporate databases—the specific risks vary by incident. For healthcare data, watch for medical bills from providers you’ve never visited or calls from collection agencies about medical debt you don’t owe. For the Oracle Cloud breach, the risk is more sophisticated. If attackers accessed your cloud environment, they potentially obtained databases, API keys, configuration files, and source code. Organizations should assume that any credentials stored in cloud environments were compromised and should rotate all API keys, passwords, and access tokens immediately.
Look for unauthorized API calls in your cloud audit logs or unexpected data exfiltration. For companies affected by the Cl0p campaign targeting E-Business Suite, assume that financial records, customer data, and proprietary business information were exfiltrated. The Cl0p gang has a history of threatening to publish stolen data unless ransom is paid, so victims may receive extortion demands. A significant limitation of breach notifications is that companies don’t always tell you everything that was exposed. Oracle may still be conducting forensic investigations to determine the full scope of compromised data. You may not receive complete information about what specific records of yours were accessed. The safest approach is to assume the worst—that all your personal information held by these organizations was exposed—and take protective measures accordingly. Don’t wait for Oracle to confirm exactly what information about you was compromised.
OTHER COMPANIES AND ORGANIZATIONS AFFECTED
The Cl0p extortion campaign targeting Oracle E-Business Suite affected a broad cross-section of major companies, not just tech businesses. Cox Enterprises, one of the United States’ largest media and communications companies, disclosed that its data was stolen during the breach window. Harvard University, one of the world’s most prestigious academic institutions, was also impacted. These aren’t small organizations with minimal data; they’re large enterprises managing millions of employee and customer records.
When major corporations like Cox suffer data breaches, it typically affects both their employees and customers who may have information stored in their systems. The broader impact shows how Oracle system vulnerabilities cascade across industries. A zero-day vulnerability in Oracle E-Business Suite became a tool for extracting data from financial institutions, healthcare organizations, government contractors, universities, and manufacturing companies. Over 100 companies were targeted in a relatively short window, suggesting attackers quickly weaponized the vulnerability once it was discovered. Some companies detected the intrusion immediately; others may not have known they were compromised until the attacker demanded ransom or threatened to publish the data publicly.
LONG-TERM IMPLICATIONS AND FUTURE OUTLOOK
The Oracle breaches of 2025 highlight a persistent problem in the technology industry: critical vulnerabilities in widely-used systems remain unpatched for extended periods, creating massive exposure windows. Oracle E-Business Suite is used by thousands of organizations globally, and the zero-day vulnerability existed from November 2025 until Oracle released patches. Even after patches are available, organizations often take weeks or months to apply them, continuing the exposure period. This vulnerability-to-patch-to-deployment cycle remains one of the most exploited attack vectors in enterprise security.
Looking forward, the $115 million settlement and increased regulatory scrutiny may pressure Oracle to improve its security practices and data handling policies. However, settlements typically don’t prevent future breaches—they compensate past victims. The real test will be whether Oracle implements stronger security controls, faster vulnerability patching, and more transparent data practices going forward. For customers relying on Oracle systems, the takeaway is clear: assume that any Oracle system you use could be compromised, maintain strong access controls, monitor for unauthorized activity, and keep backups of critical data in case you need to rebuild systems after a breach.
Conclusion
Oracle’s 2025 data breaches exposed customer information across three separate incidents—health records in hospitals, cloud infrastructure data, and corporate databases—while a separate privacy settlement addresses the company’s broader data practices. The $115 million settlement approved by the Ninth Circuit Court of Appeals in early 2026 provides a legal avenue for affected individuals to seek compensation, with the settlement expected to become effective within months of March 31, 2026. The breaches affected diverse populations ranging from hospital patients to cloud customers to large corporations.
If you were affected by any of these breaches, take immediate protective action by placing fraud alerts with credit bureaus, monitoring your credit and medical records, and rotating any compromised credentials. Watch for the settlement claims process to open and file a claim before any deadline passes. As the March 31, 2026 Mandate filing progresses toward settlement activation, more information about the claims process and compensation structure should become available. Review settlement updates regularly and document any harm you’ve experienced to support your claim for compensation.
You Might Also Like
- Essen Medical Associates Data Breach Settlement Claims Patient Information Was Exposed
- Complete Payroll Solutions Data Breach Settlement Claims Employee Information Was Exposed
- Krispy Kreme Data Breach Settlement Claims Consumer Information Was Compromised
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: