A Florida resident filed a class action lawsuit against Oracle Corporation in the U.S. District Court for the Western District of Texas in association with a data breach in January 2025. Oracle has not publicly announced a data breach, and no incident is posted on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal. At this time, the number of individuals affected by the breach is uncertain.
The law firm Shamis & Gentile filed the lawsuit on behalf of plaintiff Michael Toikach and other similarly situated folks whose personal data were compromised in the breach. The plaintiff asserts that Oracle kept his personal data and protected health information (PHI) through the healthcare organization that utilized Oracle’s software program. The lawsuit claims Oracle did not use acceptable and industry-standard IT security procedures to properly store, protect, and correctly discard the sensitive information it received and saved for business requirements. The data security breakdowns resulted in the successful cyberattack and data breach. Particularly, the lawsuit states that Oracle had insufficient network segmentation, lacked employee cybersecurity and HIPAA training, and had a shortage of tracking and alert systems.
That breach happened on or about January 22, 2025, and Oracle discovered it on February 20, 2025. The lawsuit alleges that Oracle failed at breach notifications, which the HIPAA Breach Notification Rule requires entities to issue without unnecessary delay and within 60 days from the discovery of a data breach. There is likewise a data breach notification law in Texas that was violated, according to the lawsuit. Similar to HIPAA, under Texas law, notifications should be sent without unnecessary delay and not after 60 days from the discovery of a data breach.
The lawsuit states the late issuance of notifications, along with insufficient transparency concerning the data breach, has kept the plaintiff and class members from the required information to deal with the threats and exposure. Since the compromise of sensitive personal and health information, the plaintiff and class members allege facing a greater and continuing threat of identity theft and fraud, with the increased risk possibly lasting for years ahead.
The lawsuit alleges claims of negligence, negligence per se, unjust enrichment, breach of third-party beneficiary contract, and breach of fiduciary duty. The plaintiff and class members want a jury trial, compensatory losses, a refund of out-of-pocket expenses, and extended credit monitoring services. The lawsuit additionally wants injunctive relief, where Oracle needs to enforce several security procedures, such as data encryption, routine penetration testing, third-party security checks, automatic security tracking, and improvements to its HIPAA security awareness training course.