I’ve spent more time in hospital rooms than most people my age. Some of that is growing up around horses, and some of it is just being the kind of person who finds the ground faster than other people seem to. The thing nobody tells you about riding is that the ground is always closer than you think, and it is always harder than you remember. I’ve fractured my back. I’ve had more concussions than I can put in order anymore. I’ve been kicked in the face by an animal that outweighed me by a thousand pounds and didn’t mean anything by it, and I walked into the ER that night holding a bag of frozen corn to my eyebrow trying to make small talk with the woman at the front desk.
The funny thing about that kind of injury is that you can’t really hide it. As much as I tried, the stitches were there, and the swelling was there, and the scar is still there. I wear it every day. The horse does the talking for you. The doctor writes down what the horse said, and that’s the end of it.
But there are other scars I don’t have to wear every day, and those are the ones that get made in a different kind of room.
Those are the rooms where the doctor asks how many drinks you have in a week, and you have to decide, in the half-second before you answer, whether the number you say is going to be the real number or a smaller one. The ones where a nurse asks if you feel safe at home and you do the same calculation. The ones where a psychiatrist sits across from you and asks a question so quiet and so careful that you understand she is giving you a door, and you have to decide whether to walk through it. I’ve walked through that door and I’ve stayed on my side of it, and I’ve done both things in the same visit. Sometimes telling the truth is just more expensive than you can afford to spend in one afternoon. Sometimes you need the appointment to end so you can get back to your day. Sometimes you want, more than almost anything, for someone with more authority than you to tell you what is wrong. And other times you want the same person to not know yet, because once she knows, you can’t un-know it together, and you aren’t ready for what comes after.
The reason I’m laying all of this out is that a medical record isn’t a spreadsheet and it isn’t a file. It isn’t a row of data points or a de-identified genomic sample or whatever language the industry is using this quarter to make it sound like something you wouldn’t miss. It’s a catalog of small private decisions a person made about how much of herself to hand over in exchange for help, made inside rooms where the person across from her was bound by an old covenant to use what she said only to try to make her better. That covenant is the thing being destroyed right now.
Last month, without asking any of us, a man named Larry Ellison moved 150 million of those rooms onto a server next to a weapons program.
I think he violated the Third Amendment, and I mean that literally, not in the loose way people throw the word unconstitutional around on the internet when they mean something they don’t like. I mean the actual amendment, the quartering one, the one nobody has needed in two hundred and thirty-five years because nobody had figured out how to quarter soldiers in a civilian space without anyone noticing, and I think Larry Ellison just did.
February
All of this happened while Israel was striking Iran and the United States was moving in behind them. That timing matters, because every time this country has gone to war, the surveillance infrastructure built under the cover of urgency has stayed long after the war ended. The Patriot Act came after 9/11 and is still here. Mass surveillance programs built during the War on Terror are still running. Oracle moved on the week the country was looking somewhere else, and that is the window I want you to see the next seventeen days through.
On February 11, 2026, Oracle signed a contract with the Centers for Medicare and Medicaid Services to migrate the health records of more than 150 million Americans onto Oracle Cloud Infrastructure. Diagnoses, prescriptions, procedures, treatment histories, clinical data. Every American on federal health coverage.
On February 12, the day after, the United States Air Force awarded Oracle an $88 million contract to run classified military workloads on the same Oracle Cloud Infrastructure. The contract covers Top Secret, Sensitive Compartmented Information, and Special Access Program data, which is the most classified category in the U.S. government, above Top Secret. Oracle’s own press release referred to the Department of Defense as the “Department of War.”
On February 28, Oracle received government authorization to deploy generative AI across both the civilian health data and the classified military data simultaneously. Oracle’s own documentation describes AI Database 26ai as a tool that lets users “combine organization-specific information and public information when running agentic AI workflows.”
The health records of 150 million Americans and classified Air Force intelligence operations moved onto the same platform, with AI tools designed to combine data across domains authorized to operate across both. No public debate preceded this. No congressional vote authorized it. No beneficiary consented to it.
The person overseeing Oracle Health during all of this is Seema Verma. From 2017 to 2021, Verma served as the Administrator of CMS, the very agency that awarded Oracle this contract. She oversaw health coverage for 145 million Americans and managed a $1.4 trillion budget. During her tenure she approved more than $3.5 million in taxpayer-funded communications contracts to boost her own public profile, leading to a federal ethics investigation. She filed a claim requesting taxpayer reimbursement for a stolen $5,900 Ivanka Trump necklace. Two days before she left office in January 2021, she reported her government-issued phone lost, which resulted in the permanent destruction of all stored records. She was issued a replacement, returned it nine days later, and said she had forgotten the passcode, which made those records permanently inaccessible too.
Verma joined Oracle in April 2023. By January 2024 she had been promoted to Executive Vice President and General Manager of Oracle Health and Life Sciences. The person who was responsible for protecting the health data of 145 million Americans now runs the company that hosts that data alongside classified military systems, and the agency she used to lead is the one that gave her new employer the contract to do it.
Palantir
Oracle is the foundation, the infrastructure where the data physically lives. But there is a second company in this story, and it’s called Palantir.
Palantir was founded with seed funding from In-Q-Tel, the CIA’s venture capital firm. Its military platform, Gotham, is used by the U.S. Army, the CIA, and the NSA to analyze intelligence and assist with military targeting decisions. Palantir’s own website describes Gotham as a tool that “deploys proven AI to warfighters.” Remember the word warfighters. It’s going to matter.
Palantir also operates a civilian platform called Foundry, used by hospitals, the Department of Homeland Security, and civilian federal agencies. The two platforms are architecturally interoperable, meaning they are designed to share data across environments. Palantir’s own product documentation confirms this. A March 2026 Medact briefing analyzing Palantir’s contracts with the UK’s National Health Service described the interoperability as so seamless that data could be moved between the platforms through drag-and-drop functionality. I have not independently verified that specific level of ease from a primary source, and I am actively pursuing FOIA requests for the technical architecture documents, but the underlying interoperability between the military platform and the civilian platform is confirmed by Palantir themselves.
In February 2026, the Department of Homeland Security signed a $1 billion contract with Palantir to deploy both platforms across every DHS agency simultaneously, including ICE, FEMA, TSA, and CISA. The Trump administration was already in discussions to bring Foundry into Health and Human Services, the Social Security Administration, and the IRS.
When a reporter from WIRED asked Palantir’s Chief Technology Officer to defend the DHS contract on civil liberties grounds, he cited the Constitution and said that Palantir’s systems have “accountability controls ensuring compliance with constitutional rights, particularly the Fourth Amendment.”
He said particularly the Fourth Amendment. He didn’t mention the Third. And the Third Amendment was written for exactly the kind of situation he was being asked to defend.
The Third Amendment
No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.
Thirty-two words. The Supreme Court has already recognized what this amendment actually stands for in contexts remarkably close to the one at issue here. In Laird v. Tatum (1972), a group of civilians challenged a U.S. Army program that had been conducting surveillance on Americans who participated in lawful political protests during the Vietnam era. The Court declined to hear the merits on standing grounds, but in its analysis it cited the Third Amendment as evidence of what it called “the traditional and strong resistance of Americans to any military intrusion into civilian affairs.” And in Griswold v. Connecticut (1965), the Court cited the Third Amendment as one of the constitutional guarantees that creates what it called “zones of privacy.” The highest court in the country has already said, more than once, that this amendment protects something larger than the literal act of a soldier sleeping in a bedroom. It protects the right to have a private space the military cannot occupy.
The amendment has five operative elements, and every one of them maps onto what Oracle and Palantir have built.
No Soldier. The only major federal case to directly interpret the Third Amendment is Engblom v. Carey, decided by the Second Circuit Court of Appeals in 1982. During a corrections officer strike in New York State, the governor called in the National Guard to replace the striking officers, and the Guard members were housed in the officers’ on-site apartments, which the officers lived in as a condition of their employment. The court held that “soldier” under the Third Amendment extends beyond the standing Army to include National Guard members and any military personnel acting under government authority, and that “owner” extends beyond property holders to include anyone with lawful possession of a space, including tenants in employer-provided housing. The officers ultimately lost on qualified immunity, which is a procedural defense that shields government officials from personal liability when they could not have known they were violating someone’s rights. That procedural loss did not affect the constitutional principles the court established, and those principles are still good law today.
Oracle’s own documentation states that its National Security Regions are “air-gapped environments supported by government-cleared US citizens” and that “all ONSR operations are performed from securely managed Cloud Network Operations Centers by staff with TS/SCI clearances.” Those are real people, with military-grade security clearances, operating under Department of Defense authority, managing classified workloads from inside the same infrastructure that houses civilian health records. Under the logic of Engblom, personnel acting under military authority in a civilian space satisfy the amendment’s definition of soldier. Palantir’s users, whom the company itself describes as warfighters, fall into the same category.
In time of peace. The United States has not issued a formal congressional declaration of war since 1942. Every military conflict since then, including Korea, Vietnam, Iraq, Afghanistan, and the current conflict with Iran, has been conducted through presidential authorizations or congressional resolutions rather than formal declarations. The Third Amendment’s peacetime protection is triggered by the formal constitutional definition of war, which means the absolute protection applies right now, even with American troops in active combat. The government may argue that the Authorization for Use of Military Force functions as a constitutional equivalent, but no Congress has ever passed a law authorizing the co-location of military systems within civilian health data infrastructure, and a procurement contract between Oracle and the Air Force cannot authorize what Congress itself has not.
Be quartered. To quarter means to house, to give the military a place to live and operate from inside a space. The colonial history reinforces a broad reading. The 1765 Quartering Act placed British soldiers in inns, alehouses, and public buildings, and the colonists considered this a violation serious enough to help justify a revolution, even though the soldiers were rarely forced into occupied private homes. The injury was always about the military occupying civilian space at all. On Oracle’s cloud today, military AI systems and Top Secret classified workloads run permanently alongside civilian health records on shared infrastructure. The classified operations do not shut down at the end of the day. The military has claimed operational space in a civilian data environment, and the civilians who live there have no ability to use that space without coexisting with military operations.
In any house. Extending the word house from a physical building to a cloud data platform is a new legal question that no court has yet addressed, and I want to be straight about that. But the Harvard Civil Rights-Civil Liberties Law Review was already arguing in 2013 that the internet is a space “at least partly internal to the home” and that military operations in cyberspace could trigger Third Amendment protections. The legal scholarship for a functional reading of house predates the facts of this case by over a decade. And Oracle’s own technical documentation does a lot of work here. Oracle calls your data’s location a “home region.” It calls your account a “tenancy,” which is the legal term for the relationship between a person who occupies a space and the entity that owns the building. Its flagship data platform is called a “lakehouse.” These are Oracle’s own choices, in their own developer documentation. They chose housing language because the analogy is accurate. Data lives somewhere. It resides on infrastructure. It has a home. Oracle named it a house, and the Constitution protects the house.
Without the consent of the Owner. No Medicare beneficiary, Medicaid enrollee, or VA patient was ever asked whether they consented to their health records sharing infrastructure with classified Air Force workloads. That consent was never sought and never given. And even if Oracle or the government tried to argue that enrollment in Medicare constitutes some form of implied consent to whatever Oracle does with the data, the argument collapses under scrutiny. For most Americans over 65, Medicare is the only viable health coverage available. Opting out is theoretically possible but functionally impossible. Consent that is extracted from a person who has no realistic alternative is not consent. Engblom already established that owner covers more than the person who holds the deed. In that case, corrections officers living in state-provided apartments were found to have lawful possession and a legitimate interest in the space, and that was enough. The same logic applies here. Medicare beneficiaries did not choose Oracle as their data’s host. The government chose their landlord for them. But their diagnoses, medications, and treatment histories reside there permanently, and Oracle calls them tenants.
The Fourth & HIPAA
The Fourth Amendment is the one most people think of when they hear government overreach, and in a sane world it would cover this. But in Smith v. Maryland (1979), the Supreme Court established what became known as the third-party doctrine, which holds that once you voluntarily share information with a third party, whether a bank, a phone company, a doctor, or a government program, that information loses its Fourth Amendment protection. You shared it, you accepted the risk, and the protection is gone. When you filed your Medicare claim, you shared your medical history with the government’s contractor, and under the third-party doctrine, the Fourth Amendment barely applies to what happens to that data next. The Supreme Court tried to narrow the doctrine in Carpenter v. United States (2018), but the Court kept the ruling narrow, declined to overturn the third-party doctrine as a whole, and specifically excluded national security activities from the ruling’s scope.
HIPAA is the law most people assume protects their health data. HIPAA does prevent your doctor from selling your diagnosis to a marketing company and prevents your insurer from sharing your records with your employer. But HIPAA doesn’t apply to the federal government acting in its own capacity, and it contains a written exception at 45 C.F.R. § 164.512(k)(2) that allows any covered entity to disclose health records to federal officials for intelligence and national security purposes with no warrant, no court order, and no notice to the patient.
There is a distinction here that matters. HIPAA authorizes access, meaning the government can come to the door and request specific records under specific circumstances. The Third Amendment addresses a completely different question, which is whether the military gets to permanently reside inside the same space as your data. A police officer can get a warrant to enter your home and search it, but the legal authority to visit your home does not give the military the right to move in and live there. And the fact that HIPAA already provides a legal pathway for the government to request health data when it needs it for national security actually strengthens the Third Amendment argument, because it means the permanent co-location of military systems alongside your health records is unnecessary for national security. It is merely convenient for Oracle, and convenience doesn’t override a constitutional protection.
The Breach
Beginning around January 22, 2025, an unauthorized person gained access to Oracle Health servers, specifically the legacy Cerner systems being migrated to Oracle Cloud. Patient data was stolen, including names, dates of birth, Social Security numbers, medical record numbers, treatment histories, and clinical records from hospitals across the country. 262,831 patients at Union Health were affected. 145,269 patients at Mosaic Life Care were affected. At least 80 hospitals were hit, and the full scope remains unknown.
Oracle discovered the breach around February 20, 2025. For weeks, they informed hospital customers but denied it involved Oracle Cloud. When it came time to notify patients, Oracle sent the notifications without Oracle letterhead and told hospitals to handle the communications themselves, on plain paper, with no Oracle branding. The FBI opened a criminal investigation.
The breach happened during migration, the exact moment when civilian health data was being moved onto Oracle’s cloud, the same cloud that now hosts Air Force classified workloads. The civilian side of the infrastructure failed the people whose data lives there before the full integration was even complete, and the people who were harmed found out through unsigned letters on blank paper.
China’s Military Fusion Model
In 2017, Chinese President Xi Jinping formalized a national strategy called military-civil fusion, creating a Central Commission under his personal authority to eliminate barriers between China’s civilian economy and its defense sector. Every Chinese hospital, tech company, and university now has its data, research, and technology available to the People’s Liberation Army on demand.
The United States has spent years condemning this approach. We sanctioned Huawei over it. We restricted TikTok over it. The State Department called military-civil fusion one of the most pressing national security threats facing the United States. The bipartisan consensus was that when you erase the line between civilian life and military power, everything becomes a weapon.
And while the U.S. government was publicly condemning China’s approach, Oracle was embedded in the Chinese government’s data infrastructure. Oracle entered China in the 1980s, and by the 2000s its database technology ran across Chinese government agencies at every level. The Intercept documented that Oracle employees actively marketed surveillance and analytics tools to Chinese police and military-linked clients, including in Xinjiang during what the U.S. State Department has called a genocide of Uyghur Muslims. Georgetown University’s Center for Security and Emerging Technology documented how a Chinese surveillance broker became Oracle’s “Partner of the Year.” And Larry Ellison, Oracle’s chairman, went on Fox Business and criticized Google for “going into China and facilitating the Chinese government surveilling their people” while his own company was doing the same thing.
The company that helped build China’s surveillance infrastructure is now the company hosting 150 million Americans’ health records alongside classified Air Force systems. The country that spent years saying military-civil fusion is the most dangerous thing a nation can do is quietly building the same architecture through private contracts, with no congressional vote and no public debate.
What Drey v. Oracle Asks For
The argument I’ve laid out is called Drey v. Oracle, and what it asks a court to do is simpler than you’d expect.
We are asking for structural separation: a court order, known as injunctive relief, requiring that civilian health data and military workloads be kept on architecturally separate platforms, with separate vendors and independent audits, and that any future co-location requires informed, opt-in consent from the people whose data is involved. We are pointing to a law that already exists, that already applies, and that has already been violated, and the argument requires a court to read 32 words.
And the window is closing for a reason that has nothing to do with politics. Oracle is migrating the health records of 150 million Americans onto a cloud that also runs classified military workloads, and once that integration is complete, no court is going to order Oracle to pull it apart, because by then millions of people’s healthcare will depend on it. The window to act is right now, while the migration is still in progress.
What I Need (You!)
If you are a Medicare or Medicaid patient whose data was part of the Oracle Health breach in 2025, I want to hear from you, especially if you’re also a military veteran whose VA records are on Oracle’s systems. In federal court, the first question a judge asks is whether the person bringing the case has standing, meaning a concrete injury that is traceable to the defendant and that the court can do something about. A breach victim whose data was stolen has a concrete injury that already occurred. A veteran whose records exist on both the civilian and military sides of Oracle’s infrastructure has the clearest connection to the co-location argument. If you are both, your standing would be the strongest of anyone’s.
If you are a constitutional attorney, a civil liberties litigator, or a law professor, I need to be straightforward. I am not a lawyer. I am an investigative journalist who spent months building an argument, documenting every fact, and sourcing every claim. What I’ve laid out in this article is, I believe, a viable constitutional case. But I cannot file it. I need a lawyer or a legal team willing to take this on, evaluate it with fresh eyes, and if the argument survives their scrutiny, bring it before a federal court. The research is done, the facts are documented, the plaintiff profile is defined, and the window is open. What’s missing is you.
235 years ago, a generation of people who had lived with soldiers in their towns wrote 32 words to make sure it would never happen to anyone again, and then they handed those 32 words to us.
We haven’t used them yet. It’s time.
SOURCES CITED
The Contracts
“Oracle Cloud Infrastructure to Support Centers for Medicare and Medicaid’s Modernization Initiative”
Oracle Corporation, February 11, 2026.“Oracle books $88M Air Force Cloud One contract” – Washington Technology staff
Washington Technology, February 11, 2026.“Oracle Secures DISA IL5, FedRAMP High Authorizations for GenAI and Exadata”
The Silicon Review, March 2, 2026.
Oracle Infrastructure Documentation
“Oracle Cloud Infrastructure: Uncompromising cloud security across U.S. government classification levels”
Oracle Cloud Blog, November 9, 2025.“Oracle Cloud Isolated Region FAQ”
Oracle Corporation, April 24, 2023.
Seema Verma
“Oracle Selects Former Head of Medicare For Trump as EVP of Oracle Health”
Ingram’s (reporting Bloomberg), February 7, 2024.“CMS Did Not Administer and Manage Strategic Communications Services Contracts in Accordance with Federal Requirements” (OIG Audit Report A-06-18-07002)
HHS Office of Inspector General, July 14, 2020.“HHS defends Trump appointee over lost jewelry claim” – AP
PBS NewsHour, December 8, 2019.“Seeking Records from Seema Verma’s Lost Cell Phone”
American Oversight, August 19, 2021.
The Court Cases
Laird v. Tatum, 408 U.S. 1 (1972) – Full opinion
Justia U.S. Supreme Court, decided June 26, 1972.Griswold v. Connecticut, 381 U.S. 479 (1965) – Full opinion
Justia U.S. Supreme Court, decided June 7, 1965.Engblom v. Carey, 677 F.2d 957 (2d Cir. 1982) – Full opinion
UMKC School of Law Constitutional Law archive, accessed April 2026.Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952) – Full opinion
Justia U.S. Supreme Court, decided June 2, 1952.Smith v. Maryland, 442 U.S. 735 (1979) – Full opinion
Justia U.S. Supreme Court, decided June 20, 1979.Carpenter v. United States, 585 U.S. _ (2018) – Official Supreme Court opinion (PDF)
Supreme Court of the United States, decided June 22, 2018.Yearsley v. W. A. Ross Construction Co., 309 U.S. 18 (1940) – Full opinion
Justia U.S. Supreme Court, decided February 26, 1940.
Constitutional Text and Statutes
“Third Amendment – Overview of Third Amendment, Quartering Soldiers”
Cornell Law School Legal Information Institute, accessed April 2026.“45 C.F.R. § 164.512 – Uses and disclosures for which an authorization is not required” (HIPAA national security exception)
Cornell Law School Legal Information Institute, accessed April 2026.“Quartering Act of 1765” – Primary source text
American Battlefield Trust, accessed April 2026.
Palantir
“DHS Opens a Billion-Dollar Tab With Palantir” – Dell Cameron and Dhruv Mehrotra
WIRED, February 19, 2026.“Briefing: Concerns Regarding Palantir Technologies and NHS Data Infrastructure (FDP)”
Medact, March 11, 2026.“The CIA-backed venture fund that helped launch Palantir and Anduril”
Fortune, July 28, 2025.
The Oracle Health Data Breach (2025)
“Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack”
HIPAA Journal, May 12, 2025.“Mosaic Life Care breach exposes sensitive patient data of over 145,000 individuals”
HIPAA Times, August 11, 2025.“Oracle Health Data Breach | Lawsuit Investigation”
ClassAction.org, March 30, 2025.
Oracle in China
“How A Chinese Surveillance Broker Became Oracle’s ‘Partner of the Year’”
Georgetown University Center for Security and Emerging Technology (CSET), April 22, 2021.“Google’s push into China is ‘shocking’: Oracle’s Larry Ellison” – Larry Ellison interview
Fox Business, October 26, 2018.
China’s Military-Civil Fusion
“The Chinese Communist Party’s Military-Civil Fusion Policy”
U.S. Department of State, January 13, 2020.
Legal Scholarship
“A New Role for the Forgotten Amendment?” – Stewart Baker
Harvard Civil Rights–Civil Liberties Law Review, February 11, 2013.“When Cyberweapons End Up on Private Networks: Third Amendment Implications for Cybersecurity Policy” – Alan Butler
American University Law Review, Vol. 62, Issue 5, 2013.
