Do No Harm (Terms and Conditions May Apply)

Playback speed

Share post at current time

Share from 0:00

0:00

Transcript

Do No Harm (Terms and Conditions May Apply)

The Drey Dossier

Mar 18, 2026

“Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.”

— The Hippocratic Oath, approximately 400 BC

That promise held for about two thousand four hundred years. Then Larry Ellison put your medical records up for sale and his data centers under NDA.

The HYPAAcritical Oath.

I’ve been covering Oracle for a while now, tracing threads across media consolidation, federal cloud contracts, classified AI authorizations, and a data architecture that keeps getting bigger every time I turn around. Most of those stories are about power at a distance: infrastructure deals, Gulf money, merger filings. This one is different. This one is about the file your doctor pulled up the last time you went in for bloodwork.

Oracle paid $28.3 billion for the company that built that system. They let it deteriorate, lost clients, watched a veteran die because of a software error, and are now reportedly considering selling the whole thing off. Which raises a question that’s been keeping me up: if they’re willing to walk away from the company, what exactly did they keep?

I think the answer is your data. And I think the law that was supposed to prevent that stopped working about twenty years ago without anyone updating it.

At the end of this piece, I’m going to give you something specific to do about it. Something that can actually create pressure right now. So stay with me.

Larry Ellison and Elizabeth Holmes

Larry Ellison founded Oracle in 1977 and has been one of the most powerful men in American technology for nearly fifty years. If you haven’t heard of Oracle, you’ve still used what they build. Oracle makes the database software that runs behind the scenes at banks, hospitals, airlines, and most of the federal government. Their entire business has always been built on the same thing: managing massive amounts of information about people and selling the tools to access it. The most recent version of that is your healthcare data, through Cerner, Medicare, and Medicaid.

This wasn’t his first swing at it either. Most billionaires eventually decide that death is a problem money can solve. Ellison decided the real opportunity was earlier than that: reading your biology before you ever get sick.

One of his early personal bets was Theranos, the company that claimed it could diagnose hundreds of diseases from a single drop of blood. Elizabeth Holmes turned out to be a fraud and the company collapsed, but the investment tells you something about what Ellison gravitates toward. In May 2022 he put $21.5 million into an Israeli startup called Imagene AI, which built an AI that reads biopsy images to detect cancer mutations. Results in two minutes instead of several weeks. Every healthcare investment he has made personally follows the same logic: biological information about you, read earlier, processed faster.

He had been trying to build health data AI for years, and the trail of failed attempts tells you how badly he wanted it. In 2018, he co-founded a company called Project Ronin with oncologist David Agus, the doctor who treated Steve Jobs. The idea was to build software that could plug into the digital record systems hospitals already use, systems like Cerner and Epic, and analyze patient data in real time to help oncologists make better treatment decisions. It ran for six years. Hospitals weren’t adopting it. In March 2024, Project Ronin shut down and laid off all 150 of its employees.

Here’s the pattern: he couldn’t get access to the data he needed without owning the systems those hospitals already ran on. So he bought them.

And he has told you exactly what he planned to do with it. Multiple times. On camera. At his own events. September 2024, at Oracle’s Financial Analyst Meeting: “Citizens will be on their best behavior because we are constantly recording and reporting everything that’s going on.” February 2025, at the World Government Summit in Dubai, standing in front of heads of state, he said every nation needs to unify all of its citizen data, health records, genomic data, all of it, into a single AI-accessible database. October 2025, at Oracle AI World, he told investors that Oracle’s databases already contain most of the world’s high-value private data, and described AI agents that would connect patients to hospitals to insurers to regulators to banks in one automated system.

He said all of that on the record. On camera. At events he organized.

Cerner

In June 2022, Ellison paid $28.3 billion for a company called Cerner, the largest acquisition in Oracle’s history. Cerner was the biggest health IT company in the United States. If you’ve ever been to a hospital or a clinic and a doctor pulled up your chart on a computer, there’s a decent chance the software behind that screen was Cerner. Same goes for doctors at military bases or VA physicians. Most of them were on Cerner as well.

Their systems ran inside more than 14,000 medical facilities across 24 countries, including the VA, the Department of Defense, the CDC, and dozens of NHS hospitals in the UK. It had taken the company decades to embed itself that deeply into the places where your most sensitive information lives.

Two days after the acquisition closed, Ellison hosted a virtual briefing called “The Future of Healthcare.” He announced that Oracle would build a national health records database, pulling anonymized data from thousands of hospital systems across the country, and train AI on it to monitor and diagnose disease. Two days. He didn’t wait for the ink to dry.

Oracle “Health” (still Cerner)

What happened next tells you a lot about what Oracle actually wanted from this deal.

The most important piece of Cerner’s business was its contract with the VA to modernize the electronic health record system used by millions of veterans across the country. That contract was originally worth $10 billion. From the moment Oracle took over, the situation deteriorated. In 2024, the VA’s own Inspector General documented that a scheduling error in Oracle’s system contributed to the death of a veteran in Ohio. A referral was lost in the software. He didn’t get the care he needed in time. When the VA surveyed its own clinical staff, 58 percent said the system increased patient safety risk. The entire rollout was paused in 2023. By that point, the estimated cost to finish the project had ballooned to $37 billion, and they had only reached six hospitals out of 170.

Oracle lost 74 hospital clients in 2024 alone, the first year they refused to even share their client list with industry analysts. Key executives who had been sent specifically to turn Cerner around quietly left in early 2026. None of the core problems were fixed. Not the VA rollout. Not the safety record. Not the market share.

If your goal was to build the best electronic health record system in the world, none of that makes sense. But Oracle was building something else entirely.

Because while all of that was happening, they had constructed an entirely new health record system from scratch, one built on Oracle’s own cloud with no Cerner software underneath it. This new system sits on top of Cerner’s data and learns from it. Once that migration is complete, the old Cerner software isn’t needed anymore. What Oracle keeps is the data, the medical histories from 14,000 facilities. What they’d be selling off is the old system and the liability that comes with it.

On January 29, 2026, an investment bank called TD Cowen published a research note suggesting Oracle should consider selling Cerner to stabilize its finances. They paid $28.3 billion for it less than three years ago.

You don’t walk away from $28 billion unless you’ve already gotten what you came for.

And here’s what a Cerner sale would mean for real people. The VA has announced it is restarting deployments of this system at 13 new sites beginning in April: Detroit, Saginaw, Ann Arbor, Battle Creek, then facilities in Ohio, Kentucky, Indiana, and Cleveland. Veterans at those sites would have their medical records mid-migration when a sale happens. Not safely stored somewhere. Mid-migration, being moved from one system to another, to a new owner that hasn’t been named, under terms that haven’t been disclosed.

These are veterans whose healthcare is being moved onto a system that has already been linked to patient deaths and safety failures, run by a company under financial pressure and potentially not even the owner of the system by the time the migration is finished.

And yet again it is veterans who absorb the consequences of decisions they had no part in making. This country has a long history of that. This is the latest one.

The Dominos

Let me walk you through three things Oracle has done since buying Cerner. Each one builds on the last.

In November 2025, Oracle received a federal designation that made it what’s called a Qualified Health Information Network, or QHIN. Here’s what that actually means. When your medical records need to move, say your cardiologist sends your file to your insurance company, or a hospital transfers your records to a government agency, or a specialist requests your history from your primary care doctor, those records travel through a federally regulated system. Think of it as a highway that medical data travels on. Oracle just became the tollbooth on that highway, the infrastructure the road runs through. Oracle doesn’t just store records for the hospitals that use its software anymore. It sees medical data moving between doctors, hospitals, insurers, and government agencies even when none of those parties use Oracle products. Your records in motion, across the entire healthcare system, visible to a single company. Storage is a generous word for that.

On February 11, 2026, CMS (the Centers for Medicare and Medicaid Services) awarded Oracle the contract to host and modernize its core technology systems. That covers Medicare, Medicaid, the Children’s Health Insurance Program, and the ACA marketplace. Programs that together serve more than 150 million Americans.

Here’s why that matters on top of Cerner. Cerner gave Oracle clinical records, what happened in the exam room. Your diagnoses, your prescriptions, your lab results. CMS data is different. It’s claims data, the financial record of your healthcare. Every procedure that was billed, every prescription that was filled, every diagnosis that was coded for reimbursement, what it cost, and who paid for it.

On their own, each of those datasets is powerful. Together, they are something that has never existed before in private hands: a complete picture of what happened to a patient’s body and what it cost the system, for more than 150 million Americans, inside a single company’s infrastructure. To put that number in perspective: more Americans are in this dataset than voted in the 2020 presidential election.

On January 29, Oracle launched something called the Life Sciences AI Data Platform, a commercial product that gives pharmaceutical companies, medical device companies, and insurance companies access to 129 million de-identified patient health records. Not snapshots. Complete medical histories spanning years. For drug development, clinical trials, and something called “coverage and pricing decisions.”

I want to stop on that last one because it’s the one that will affect you most directly. If an insurer can buy access to millions of complete medical histories and run AI on them, looking for patterns that predict who will develop expensive conditions, who will need repeated hospitalizations, who is statistically likely to cost them money, that changes how insurance works in ways most people haven’t thought about yet.

Here’s a concrete example. Say you were treated for depression when you were 26. You got better. You moved on with your life. Under the Affordable Care Act, an insurer cannot deny you coverage because of that. But if that insurer can now build a predictive model, trained on millions of records just like yours, that says people with your exact medical history cost 40 percent more over the next decade, they can price your premium accordingly. They didn’t deny you coverage. They just made it more expensive to be you. The legal protection is technically intact. The practical protection is gone.

The product that monetizes everything Oracle has been building launched thirteen days before the contract that would add 150 million more Americans to that dataset. Those are the dates. You can draw your own conclusions.

Eighteen Identifiers

HIPAA, the Health Insurance Portability and Accountability Act, has been the main legal framework protecting your medical privacy since 2002. Most people have heard the name. Most people assume it means their health information is private. And in a lot of ways, for a long time, it was. But HIPAA was written before the iPhone existed. Before social media. Before anyone had conceived of training an AI on the health records of an entire country. The law was built to protect against a world where the threat to your privacy was someone breaking into a filing cabinet. The filing cabinet era is over.

Here is the specific gap Oracle walked through.

HIPAA allows something called de-identification. The idea was reasonable: medical research needs data to study disease patterns, develop new drugs, understand how treatments work across large populations. But researchers don’t need to know who you are specifically. They need to know that a 45-year-old woman in the southeast was diagnosed with Type 2 diabetes, prescribed metformin, and had these outcomes over five years. They don’t need your name attached.

So HIPAA created a rule: if you remove 18 specific types of identifying information from a health dataset (names, addresses, Social Security numbers, dates of birth, phone numbers, email addresses, and so on) that dataset is legally no longer considered protected health information. It becomes, in the eyes of the law, anonymous. And once it’s anonymous, it can be sold, shared, and used without any of the restrictions that normally apply to your medical records. No patient consent required. No notification. No limits on what gets built with it.

This wasn’t a secret loophole. It was an intentional policy decision. And for a while, it worked. Pharmaceutical companies bought de-identified data to study disease progression. Insurers used it to model risk at a statistical level. An entire industry grew up around it. Companies like IQVIA built multi-billion-dollar businesses aggregating de-identified records from pharmacies, hospitals, and insurers, and selling the patterns. By 2025, the de-identified health data market was worth roughly $9 billion a year.

Everyone accepted this arrangement because of a single assumption: that once you stripped out those 18 identifiers, what remained couldn’t be traced back to you.

That assumption was wrong. And it has been provably wrong for over two decades.

Three Data Points, Twenty Dollars

The most important work on this was done by Dr. Latanya Sweeney at Harvard. In the late 1990s, the state of Massachusetts released what it called de-identified hospital discharge records, names removed, Social Security numbers removed, supposedly anonymous. Sweeney took those records and combined them with a completely separate, publicly available dataset: voter registration rolls, which anyone can buy for about $20. Using just three pieces of information (date of birth, ZIP code, and gender) she re-identified the medical records of the Governor of Massachusetts. His diagnoses. His prescriptions. His doctor’s notes. Three data points. Twenty dollars.

She then ran a broader analysis and found that 63 percent of all Americans can be uniquely identified using only those same three fields: date of birth, sex, and five-digit ZIP code. A later study put that number at 87 percent. All three of those fields are routinely left in de-identified datasets because HIPAA does not require them to be removed.

HIPAA’s own de-identification standard, followed perfectly, still leaves the majority of Americans identifiable to anyone with access to a second dataset and a basic understanding of statistics.

That was before AI.

In 2018, researchers published a study in the Journal of the American Medical Association showing that a machine learning algorithm could re-identify specific individuals from a de-identified physical activity dataset. No names. No birthdays. No ZIP codes. Just patterns in how much someone moved, when they were active, how their behavior changed over time. The AI matched those behavioral patterns to demographic records and found the people anyway.

Here’s the core problem. HIPAA’s de-identification rule was designed to protect you from a human adversary, someone sitting at a desk with one or two spreadsheets trying to figure out which record is yours. It was never designed to protect you from a machine that can simultaneously cross-reference behavioral data, purchase records, location history, Medicare claims, clinical records from 14,000 hospitals, and the daily activity logs of 170 million TikTok users and find matches in seconds.

Oracle has all of those datasets. Under the same roof. Under the same leadership. Running on AI systems that Ellison has explicitly described as designed to “reason across private data” and connect patients to hospitals to insurers to regulators to banks in a single automated system.

Oracle says the data in its platform is de-identified, and under the current legal standard, it probably is. But de-identification doesn’t mean what it meant in 2002. It doesn’t mean what most people think it means. It means that 18 categories of identifiers have been removed. It does not mean you can’t be found. And the company determining whether the de-identification is adequate is Oracle. The entity auditing that determination is nobody.

The last time Oracle built detailed profiles on people without their consent, using a system called Oracle Data Cloud that tracked browsing behavior, purchase history, and social media activity for billions of people, they settled a federal class-action lawsuit for $115 million and shut the advertising business down. What’s different this time is that what Oracle is doing with health data may not even be illegal. The moment the data is de-identified, HIPAA steps aside. The 129 million patients whose records are in that platform never consented to their medical histories being sold to pharmaceutical companies, used to train insurance pricing models, or fed into commercial AI. Under the current law, their consent was never required.

The Contract Nobody Has Seen

There is one document that could answer the most important question in this story: what is Oracle actually allowed to do with your Medicare data?

A federal contract this sensitive should contain specific provisions. What the contractor can and cannot do with the data beyond hosting it. Whether re-identification is prohibited. What audit rights the government retains. What happens if those terms are violated. Those kinds of protections are standard in government data contracts. They are what accountability looks like on paper.

The CMS contract with Oracle has not been publicly disclosed. There is no award notice in SAM.gov, the government’s public contract database. The public learned this contract existed because Oracle published a press release. Not because CMS announced it. I looked for the document. It does not exist in any public database.

That means we do not know what Oracle is contractually permitted to do with the Medicare and Medicaid data of 150 million Americans. We don’t know whether re-identification is prohibited. We don’t know what audit rights exist. We don’t know what the consequences are for a violation. That level of secrecy, for a contract of this magnitude, is not normal.

The Cops Are Being Fired

Every piece of what I’ve described is being evaluated in isolation by a different part of the government. The VA contract is treated as a defense procurement issue. The CMS contract is treated as a health IT modernization issue. The QHIN designation goes through a different agency entirely. No single regulator is looking at Oracle’s combined position across all of them at the same time.

And the specific office responsible for enforcing the law that’s supposed to protect your medical privacy is being gutted as we speak. The HHS Office for Civil Rights, known as OCR, is the federal office that enforces HIPAA. They investigate when your health data is mishandled. They levy fines. They require corrective action. They are the watchdog.

HHS has lost roughly 20,000 employees since January 2025 through a combination of DOGE-directed cuts, buyouts, and workforce reductions. The cops are being fired while the biggest data grab in American healthcare history is underway.

And here is the detail that should make all of this land differently. The US government required Oracle, specifically Oracle, to implement data isolation, algorithm audits, an independent oversight board, and legally binding national security terms before it was allowed to manage TikTok’s US data for 170 million Americans. Congress looked at the idea of a single company controlling that much personal information and said: that is a national security risk, and it requires a formal legal framework of oversight before we allow it.

Your TikTok has those protections. Your Medicare record does not. The company that built the governance framework for TikTok has never been asked to apply it to itself.

The Pressure Point

I’ll tell you what doesn’t work: waiting. Waiting for Congress to reform HIPAA. Waiting for an administration that has spent the last year gutting the agencies responsible for protecting you. Waiting for someone else to notice.

I’ll tell you what does get attention and creates pressure: public embarrassment. When I first covered Ellison’s keynote at Oracle’s AI conference, the one where he described training AI on patient health data, I asked everyone reading to go to that keynote on YouTube and leave one comment: “I do not consent to my health data being used to train AI.” Thousands of you did it. The same message, over and over. Oracle turned off the comments. They didn’t issue a statement. They didn’t push back. They just quietly shut it down. That tells you everything. They don’t have a good answer. They just don’t want you asking the question where other people can see it.

So let’s do it again. Bigger.

The Senate HELP Committee (Health, Education, Labor and Pensions) has direct oversight over HHS and HIPAA. These are the senators whose job it is to ask the questions I just spent this entire piece asking. They haven’t.

Go to ShowUsTheContract.com. The site will randomly assign you a HELP Committee senator. It’ll give you their name, their handle, and if you need inspiration, a list of comparisons to choose from. Or make up your own. The format is simple:

“We know more about ______ than what Oracle is allowed to do with our Medicare and Medicaid data.”

Make it funny. Make it yours. Make it obvious how absurd it is that we don’t know what Oracle’s contract says. Tag your senator. Tag me so I can share it.

We don’t need everyone to understand the whole story. We just need enough people asking the same question at the same time that it becomes impossible to ignore.