The taxpayers are never going to be safe, since it seems the government runs its own unique and complex scam on Americans.
https://thedreydossier.substack.com/p/do-no-harm-terms-and-conditions-may
Mar 18, 2026
“Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.”
— The Hippocratic Oath, approximately 400 BC
That promise held for about two thousand four hundred years. Then Larry Ellison put your medical records up for sale and his data centers under NDA.
The HYPAAcritical Oath.
I’ve been covering Oracle for a while now, tracing threads across media consolidation, federal cloud contracts, classified AI authorizations, and a data architecture that keeps getting bigger every time I turn around. Most of those stories are about power at a distance: infrastructure deals, Gulf money, merger filings. This one is different. This one is about the file your doctor pulled up the last time you went in for bloodwork.
Oracle paid $28.3 billion for the company that built that system. They let it deteriorate, lost clients, watched a veteran die because of a software error, and are now reportedly considering selling the whole thing off. Which raises a question that’s been keeping me up: if they’re willing to walk away from the company, what exactly did they keep?
I think the answer is your data. And I think the law that was supposed to prevent that stopped working about twenty years ago without anyone updating it.
Larry Ellison founded Oracle in 1977 and has been one of the most powerful men in American technology for nearly fifty years. If you haven’t heard of Oracle, you’ve still used what they build. Oracle makes the database software that runs behind the scenes at banks, hospitals, airlines, and most of the federal government. Their entire business has always been built on the same thing: managing massive amounts of information about people and selling the tools to access it. The most recent version of that is your healthcare data, through Cerner, Medicare, and Medicaid.
He had been trying to build health data AI for years, and the trail of failed attempts tells you how badly he wanted it. In 2018, he co-founded a company called Project Ronin with oncologist David Agus, the doctor who treated Steve Jobs. The idea was to build software that could plug into the digital record systems hospitals already use, systems like Cerner and Epic, and analyze patient data in real time to help oncologists make better treatment decisions. It ran for six years. Hospitals weren’t adopting it. In March 2024, Project Ronin shut down and laid off all 150 of its employees.
Here’s the pattern: he couldn’t get access to the data he needed without owning the systems those hospitals already ran on. So he bought them.
And he has told you exactly what he planned to do with it. Multiple times. On camera. At his own events. September 2024, at Oracle’s Financial Analyst Meeting: “Citizens will be on their best behavior because we are constantly recording and reporting everything that’s going on.” February 2025, at the World Government Summit in Dubai, standing in front of heads of state, he said every nation needs to unify all of its citizen data, health records, genomic data, all of it, into a single AI-accessible database.
Cerner
In June 2022, Ellison paid $28.3 billion for a company called Cerner, the largest acquisition in Oracle’s history. Cerner was the biggest health IT company in the United States. If you’ve ever been to a hospital or a clinic and a doctor pulled up your chart on a computer, there’s a decent chance the software behind that screen was Cerner. Same goes for doctors at military bases or VA physicians. Most of them were on Cerner as well.
Their systems ran inside more than 14,000 medical facilities across 24 countries, including the VA, the Department of Defense, the CDC, and dozens of NHS hospitals in the UK. It had taken the company decades to embed itself that deeply into the places where your most sensitive information lives.
Two days after the acquisition closed, Ellison hosted a virtual briefing called “The Future of Healthcare.” He announced that Oracle would build a national health records database, pulling anonymized data from thousands of hospital systems across the country, and train AI on it to monitor and diagnose disease. Two days. He didn’t wait for the ink to dry.
Oracle “Health” (still Cerner)
What happened next tells you a lot about what Oracle actually wanted from this deal.
The most important piece of Cerner’s business was its contract with the VA to modernize the electronic health record system used by millions of veterans across the country. That contract was originally worth $10 billion. From the moment Oracle took over, the situation deteriorated. In 2024, the VA’s own Inspector General documented that a scheduling error in Oracle’s system contributed to the death of a veteran in Ohio. A referral was lost in the software. He didn’t get the care he needed in time. When the VA surveyed its own clinical staff, 58 percent said the system increased patient safety risk. The entire rollout was paused in 2023. By that point, the estimated cost to finish the project had ballooned to $37 billion, and they had only reached six hospitals out of 170.
Oracle lost 74 hospital clients in 2024 alone, the first year they refused to even share their client list with industry analysts. Key executives who had been sent specifically to turn Cerner around quietly left in early 2026. None of the core problems were fixed. Not the VA rollout. Not the safety record. Not the market share.
If your goal was to build the best electronic health record system in the world, none of that makes sense. But Oracle was building something else entirely.
Because while all of that was happening, they had constructed an entirely new health record system from scratch, one built on Oracle’s own cloud with no Cerner software underneath it. This new system sits on top of Cerner’s data and learns from it. Once that migration is complete, the old Cerner software isn’t needed anymore. What Oracle keeps is the data, the medical histories from 14,000 facilities. What they’d be selling off is the old system and the liability that comes with it.
On January 29, 2026, an investment bank called TD Cowen published a research note suggesting Oracle should consider selling Cerner to stabilize its finances. They paid $28.3 billion for it less than three years ago.
You don’t walk away from $28 billion unless you’ve already gotten what you came for.
The Dominos
Let me walk you through three things Oracle has done since buying Cerner. Each one builds on the last.
In November 2025, Oracle received a federal designation that made it what’s called a Qualified Health Information Network, or QHIN. Here’s what that actually means. When your medical records need to move, say your cardiologist sends your file to your insurance company, or a hospital transfers your records to a government agency, or a specialist requests your history from your primary care doctor, those records travel through a federally regulated system. Think of it as a highway that medical data travels on. Oracle just became the tollbooth on that highway, the infrastructure the road runs through. Oracle doesn’t just store records for the hospitals that use its software anymore. It sees medical data moving between doctors, hospitals, insurers, and government agencies even when none of those parties use Oracle products. Your records in motion, across the entire healthcare system, visible to a single company. Storage is a generous word for that.
On February 11, 2026, CMS (the Centers for Medicare and Medicaid Services) awarded Oracle the contract to host and modernize its core technology systems. That covers Medicare, Medicaid, the Children’s Health Insurance Program, and the ACA marketplace. Programs that together serve more than 150 million Americans.
Here’s why that matters on top of Cerner. Cerner gave Oracle clinical records, what happened in the exam room. Your diagnoses, your prescriptions, your lab results. CMS data is different. It’s claims data, the financial record of your healthcare. Every procedure that was billed, every prescription that was filled, every diagnosis that was coded for reimbursement, what it cost, and who paid for it.
On their own, each of those datasets is powerful. Together, they are something that has never existed before in private hands: a complete picture of what happened to a patient’s body and what it cost the system, for more than 150 million Americans, inside a single company’s infrastructure. To put that number in perspective: more Americans are in this dataset than voted in the 2020 presidential election.
On January 29, Oracle launched something called the Life Sciences AI Data Platform, a commercial product that gives pharmaceutical companies, medical device companies, and insurance companies access to 129 million de-identified patient health records. Not snapshots. Complete medical histories spanning years. For drug development, clinical trials, and something called “coverage and pricing decisions.”
The product that monetizes everything Oracle has been building launched thirteen days before the contract that would add 150 million more Americans to that dataset. Those are the dates. You can draw your own conclusions.
Eighteen Identifiers
HIPAA, the Health Insurance Portability and Accountability Act, has been the main legal framework protecting your medical privacy since 2002. Most people have heard the name. Most people assume it means their health information is private. And in a lot of ways, for a long time, it was. But HIPAA was written before the iPhone existed. Before social media. Before anyone had conceived of training an AI on the health records of an entire country. The law was built to protect against a world where the threat to your privacy was someone breaking into a filing cabinet. The filing cabinet era is over.
Here is the specific gap Oracle walked through.
HIPAA allows something called de-identification. The idea was reasonable: medical research needs data to study disease patterns, develop new drugs, understand how treatments work across large populations. But researchers don’t need to know who you are specifically. They need to know that a 45-year-old woman in the southeast was diagnosed with Type 2 diabetes, prescribed metformin, and had these outcomes over five years. They don’t need your name attached.
So HIPAA created a rule: if you remove 18 specific types of identifying information from a health dataset (names, addresses, Social Security numbers, dates of birth, phone numbers, email addresses, and so on) that dataset is legally no longer considered protected health information. It becomes, in the eyes of the law, anonymous. And once it’s anonymous, it can be sold, shared, and used without any of the restrictions that normally apply to your medical records. No patient consent required. No notification. No limits on what gets built with it.
This wasn’t a secret loophole. It was an intentional policy decision. And for a while, it worked. Pharmaceutical companies bought de-identified data to study disease progression. Insurers used it to model risk at a statistical level. An entire industry grew up around it. Companies like IQVIA built multi-billion-dollar businesses aggregating de-identified records from pharmacies, hospitals, and insurers, and selling the patterns. By 2025, the de-identified health data market was worth roughly $9 billion a year.
Everyone accepted this arrangement because of a single assumption: that once you stripped out those 18 identifiers, what remained couldn’t be traced back to you.
That assumption was wrong. And it has been provably wrong for over two decades.
Three Data Points, Twenty Dollars
The most important work on this was done by Dr. Latanya Sweeney at Harvard. In the late 1990s, the state of Massachusetts released what it called de-identified hospital discharge records, names removed, Social Security numbers removed, supposedly anonymous. Sweeney took those records and combined them with a completely separate, publicly available dataset: voter registration rolls, which anyone can buy for about $20. Using just three pieces of information (date of birth, ZIP code, and gender) she re-identified the medical records of the Governor of Massachusetts. His diagnoses. His prescriptions. His doctor’s notes. Three data points. Twenty dollars.
She then ran a broader analysis and found that 63 percent of all Americans can be uniquely identified using only those same three fields: date of birth, sex, and five-digit ZIP code. A later study put that number at 87 percent. All three of those fields are routinely left in de-identified datasets because HIPAA does not require them to be removed.
HIPAA’s own de-identification standard, followed perfectly, still leaves the majority of Americans identifiable to anyone with access to a second dataset and a basic understanding of statistics.
That was before AI.
In 2018, researchers published a study in the Journal of the American Medical Association showing that a machine learning algorithm could re-identify specific individuals from a de-identified physical activity dataset. No names. No birthdays. No ZIP codes. Just patterns in how much someone moved, when they were active, how their behavior changed over time. The AI matched those behavioral patterns to demographic records and found the people anyway.
Here’s the core problem. HIPAA’s de-identification rule was designed to protect you from a human adversary, someone sitting at a desk with one or two spreadsheets trying to figure out which record is yours. It was never designed to protect you from a machine that can simultaneously cross-reference behavioral data, purchase records, location history, Medicare claims, clinical records from 14,000 hospitals, and the daily activity logs of 170 million TikTok users and find matches in seconds.
Oracle has all of those datasets. Under the same roof. Under the same leadership. Running on AI systems that Ellison has explicitly described as designed to “reason across private data” and connect patients to hospitals to insurers to regulators to banks in a single automated system.
Oracle says the data in its platform is de-identified, and under the current legal standard, it probably is. But de-identification doesn’t mean what it meant in 2002. It doesn’t mean what most people think it means. It means that 18 categories of identifiers have been removed. It does not mean you can’t be found. And the company determining whether the de-identification is adequate is Oracle. The entity auditing that determination is nobody.
The last time Oracle built detailed profiles on people without their consent, using a system called Oracle Data Cloud that tracked browsing behavior, purchase history, and social media activity for billions of people, they settled a federal class-action lawsuit for $115 million and shut the advertising business down. What’s different this time is that what Oracle is doing with health data may not even be illegal. The moment the data is de-identified, HIPAA steps aside. The 129 million patients whose records are in that platform never consented to their medical histories being sold to pharmaceutical companies, used to train insurance pricing models, or fed into commercial AI. Under the current law, their consent was never required.
The Contract Nobody Has Seen
There is one document that could answer the most important question in this story:what is Oracle actually allowed to do with your Medicare data?
A federal contract this sensitive should contain specific provisions. What the contractor can and cannot do with the data beyond hosting it. Whether re-identification is prohibited. What audit rights the government retains. What happens if those terms are violated. Those kinds of protections are standard in government data contracts. They are what accountability looks like on paper.
The CMS contract with Oracle has not been publicly disclosed. There is no award notice in SAM.gov, the government’s public contract database. The public learned this contract existed because Oracle published a press release. Not because CMS announced it. I looked for the document. It does not exist in any public database.
That means we do not know what Oracle is contractually permitted to do with the Medicare and Medicaid data of 150 million Americans. We don’t know whether re-identification is prohibited. We don’t know what audit rights exist. We don’t know what the consequences are for a violation. That level of secrecy, for a contract of this magnitude, is not normal.
The Cops Are Being Fired
Every piece of what I’ve described is being evaluated in isolation by a different part of the government. The VA contract is treated as a defense procurement issue. The CMS contract is treated as a health IT modernization issue. The QHIN designation goes through a different agency entirely. No single regulator is looking at Oracle’s combined position across all of them at the same time.
And the specific office responsible for enforcing the law that’s supposed to protect your medical privacy is being gutted as we speak. The HHS Office for Civil Rights, known as OCR, is the federal office that enforces HIPAA. They investigate when your health data is mishandled. They levy fines. They require corrective action. They are the watchdog.
HHS has lost roughly 20,000 employees since January 2025 through a combination of DOGE-directed cuts, buyouts, and workforce reductions. The cops are being fired while the biggest data grab in American healthcare history is underway.
And here is the detail that should make all of this land differently. The US government required Oracle, specifically Oracle, to implement data isolation, algorithm audits, an independent oversight board, and legally binding national security terms before it was allowed to manage TikTok’s US data for 170 million Americans. Congress looked at the idea of a single company controlling that much personal information and said: that is a national security risk, and it requires a formal legal framework of oversight before we allow it.
Your TikTok has those protections. Your Medicare record does not. The company that built the governance framework for TikTok has never been asked to apply it to itself.
All part of the modern surveillance infrastructure - the backbone of the global reset agenda.
We are now the DATA that is fed into the surveillance-industrial complex.
Haven't we come a long way from, "our lives, our fortunes, and our sacred honor.."
Seeing how it's actually done - with deceit and general dishonesty - is both fascinating and profoundly disturbing.
It no longer exists to protect the American people from ‘enemies foreign and domestic.’
It now acts on behalf of the enemies of freedom.