OK, so let’s get this straight. TikTok had to be sold because given its Chinese ownership, it was a danger to our privacy, and on top of that, a danger to national security. But no worries, because according to business guru and data analyst Donald Trump, all-American Oracle had the technical capacity to “handle” the TikTok acquisition and handle TikTok itself. Nothing that a $100 billion Trump-inspired AI initiative couldn’t solve.

Meanwhile, back in 2022, Oracle acquired Cerner, the healthcare data company. It has now managed, as of just a few weeks ago, to get precisely its Cerner data hacked. So while Oracle could, at least in Donald Trump’s mind, handle TikTok, it couldn’t, in fact, manage to handle Cerner.

Given Lawrence Abrams’s breaking coverage at BleepingComputer, it’s clear that Oracle’s Cerner data was hacked in the middle of its corporate acquisition process (the data integration parts of such processes take years), which makes the Oracle hack an exact re-play of the Change Health hack last year: Change was hacked in the middle of its acquisition by UnitedHealth Group’s Optum division.* Russian hackers, obviously familiar with the vulnerabilities involved in one corporation’s acquiring (the data of) another, took the opportunity to hack Change, succeeded in spades, and made out like bandits.

The Change hack compromised some 190 million patient accounts–more than half of the population of the United States (56%)–and brought much of the financial side of the US health care system to a halt. There were significant clinical consequences as well, but we probably won’t know the details until after all of the guilty parties are safely beyond the reach of litigation, and some fraction of the truth can be told without consequence. Predictably, Change has filed to have all federal lawsuits against it dismissed, and may well prevail. Because what’s the point of running a limited liability corporation if you can be held legally liable for the disasters you cause?

What would Pythia say? (Temple of Apollo at Delphi, photo credit: Paul Stephenson from London, Wikipedia)

Americans seem absolutely convinced that their “national security” requires a proxy war in Ukraine, proxy wars in Syria and Lebanon, the destruction of Palestine, the annihilation of Yemen, the annexation of Canada and Greenland, the deportation of 11 million mostly well-settled migrants, a halt to any further immigration from abroad, and the prospect of all-out war with China. Setting aside Ukraine, that’s Donald Trump’s foreign policy. Half the country voted for it, and most people are cool with it. The other half voted to continue the bloodbath in Ukraine.

What if I told you that there was a more dangerous enemy than any of those, and much closer to home? What if I told you that the invaders had direct access to the American health care system, and therefore had direct access to your personal, financial, and medical information, and were perfectly willing to throw all of that data directly into the Web, to be harvested and sold by the most unscrupulous people on the planet?

What if I told you that hackers had normalized the process of hacking your data by making it as routine as an annual checkup with your physician? And what if I threw in for good measure that these hacks didn’t just affect matters of data security or privacy, but had significant clinical consequences, closing down emergency departments and operating rooms, getting patients diverted from one hospital to the next, and potentially putting vital medical devices at the mercy of the hackers themselves?

Blame AI for this image

There’s no need to treat all of that as hypothetical, of course. Much of it, and more, is true of the garden variety hospital hacker, and what hasn’t yet happened is in development. After years of fighting the Russians, exterminating Arabs, and uprooting and deporting foreigners, we still take for granted that we’re helpless to defend our health care system against cyberattacks. Never mind that these attacks take place virtually every other week, cost millions of dollars a pop, and have the potential to wipe out whole hospital systems and kill the patients in them.

In the world we’ve managed to normalize, hacking doesn’t fit the profile of a real threat, so it simply can’t be one. The real threats must be coming from Russian troops in Donetsk, the walking dead of Jabalia Refugee Camp, and Guatemalan campesinos crossing the Rio Grande. The first we hit with drones. The second we hit with bombs. The third we push back into the river. But there’s nothing comparable to be done to hackers. So they must not be a big deal.

So far, the cyberattacks we’ve seen have merely been extortion rackets, about money. At some point, of course, the calculus will change, and we’ll get AI-driven cyber-terrorism. If you count the Israelis as terrorists, as I do, we already have (lethal) AI-driven cyber-terrorism. But whether you do or you don’t, the point is, it’s here.

And just as we supplied the bombs to destroy the hospitals of Gaza, so someone, somewhere, is supplying the know-how to hack our vaunted Electronic Health Records, and our Internet of Things, not just to extort money from some hospital CEO, but to kill a bunch of the patients in the hospital’s beds. Problematic things happen in a hospital even when everything’s working. Break everything, and people die. Figure out how to break things, particularly from afar, and you can make them die. It’ll take some ingenuity, but it can be done. They don’t pay programmers and developers the big bucks for nothing.

When it happens, if it happens, just remember that ultimately, the whole thing was our idea. We had the bright idea of destroying their health care systems. We had the bright idea of connecting our lives to ill-protected WiFi networks. We were the ones who decided that killing foreigners and expelling migrants were higher priorities than securing our own health care infrastructure. You really can’t complain if the victims of our policies send us the virus we’ve been asking for. I’m sure they’re hard at work at it: if I can think of it, so can they. Means, motive, and opportunity are all in place. The rest is a matter of time and circumstance. And the indefinite future will furnish plenty of that.

---

*I wrote the original version of this post before I’d read Abrams’s article, and so, hedged the claim I made in this sentence to reflect my uncertainty. But Abrams’s story confirms my suspicion, so I’ve re-written the sentence accordingly. From Abrams’s article:

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” reads a notification sent to impacted Oracle Health customers.

That the data was “on an old legacy server not yet migrated to the Oracle Cloud” has no bearing at all on Oracle’s responsibility for it, or for the significance of the breach. A company remains responsible for “legacy data” a couple of years old, and “legacy data” can be as sensitive as data imported into a server five minutes ago. Every Social Security number is “legacy data,” but it would be absurd to suggest that breaching someone’s Social Security number is a trivial matter. I highly recommend reading Abrams’s article (see link above), both for the quality of the reporting, and for a sense of the transparent bad faith with which Oracle has conducted itself.

Speaking of “legacy,” it’s incredible that legacy media has had nothing to say about this event, but last I checked (a minute ago), The New York Times’s most recent story on Oracle was published March 18 of this year: “Oracle’s Role in TikTok’s Future Gets Capitol Hill Scrutiny.” There’s not a word in this article about the Oracle/Cerner data breach. So “scrutiny” seems a commodity in short supply.