What Happened in the Parexel Data Breach?
Parexel International LLC, one of the largest clinical research organizations in the world, has disclosed a data breach tied to a flaw in Oracle’s cloud infrastructure. The Parexel data breach exposed sensitive personal information connected to employment records. According to the company’s notification letter, unauthorized access to its Oracle OCI E-Business Suite environment occurred on or about Oct. 4, 2025.
The intrusion stemmed from a zero-day exploit, a previously unknown security flaw, inside Oracle’s cloud infrastructure. Oracle publicly announced the vulnerability on Oct. 5, 2025, just one day after Parexel first noticed suspicious activity. As a result, Parexel launched an investigation to determine the scope of the exposure and confirm which systems were touched.
Parexel discovered the breach internally on Nov. 20, 2025. The company’s forensic review found that the breach was limited to Oracle’s environment. Importantly, Parexel stated there was no evidence that its own internal network or systems were compromised at any point.
Because the affected system was hosted and managed by Oracle, Parexel’s response focused on working with Oracle directly. The company began notifying affected individuals by written letter on Dec. 17, 2025. This notification followed filings made with several state regulators across the country.
Who was affected?
The Parexel data breach affected current or former employees rather than patients involved in clinical trials. This distinction matters because the exposed data was tied to employment records, not medical research files. As a result, the population impacted includes people who submitted personal information to Parexel as part of their job.
The exact number of individuals affected in the United States has not yet been publicly disclosed. However, state-level filings offer a partial picture. Massachusetts reported 5,259 residents affected, Texas reported 1,203, Maine reported 158 and Montana reported 36. Parexel also notified the attorneys general of California and Vermont, though specific resident counts for those states were not detailed in available filings.
Because these figures only reflect the states that require public breach reporting, the true nationwide total is likely higher. Additionally, since the exposed data was tied to employment records, the breach may include former employees who no longer have an active relationship with the company.
What Information Was Potentially Exposed?
According to Parexel’s notification letter, the files accessed without authorization may have contained several categories of sensitive personal data. This information had originally been submitted to Parexel in connection with employment.
- Full names
- Dates of birth
- Financial account numbers
- Payment card numbers (without CVV codes)
- Social Security numbers
- National ID numbers
This combination of data is particularly concerning because it includes both financial account details and government-issued identification numbers. When these data types appear together, they give criminals nearly everything needed to open new financial accounts or file fraudulent tax returns in someone else’s name.
For example, a stolen Social Security number combined with a date of birth can allow a criminal to apply for credit, loans or government benefits. Similarly, exposed financial account numbers could be used to attempt unauthorized transactions, even without a CVV code. Because of this, affected individuals face a heightened risk of identity theft and financial fraud in the months following notification.
What is the company doing?
In response to the breach, Parexel immediately disconnected Oracle EBS from its network. This step aimed to limit any further unauthorized access while the investigation continued. Once Oracle released a security patch, Parexel applied it right away.
Parexel also said it continues to follow guidance from Oracle and outside cybersecurity partners. This ongoing collaboration is meant to strengthen the security of the Oracle environment going forward. In addition, the company is offering affected individuals 24 months of complimentary identity protection services through IDX, which includes credit monitoring and identity theft resolution support.
To assist people with questions, Parexel set up a dedicated support team. This team is available from 9 a.m. to 9 p.m. ET, Monday through Friday, excluding major U.S. holidays. Individuals who receive a notification letter can use this resource to ask questions about the breach or their enrollment in identity protection services.
What Should Affected Individuals Do?
Place a Credit Freeze
Anyone whose Social Security number or financial account information was exposed should strongly consider placing a credit freeze. A credit freeze stops anyone from opening new accounts or borrowing money using stolen personal information. This makes it one of the strongest protections available after a breach involving financial data.
To place a freeze, individuals must contact each of the three major credit bureaus separately: Equifax, Experian and TransUnion. It is free to place, temporarily lift or permanently remove a freeze. Keep in mind that a freeze will also block instant credit approvals, so it may need to be lifted temporarily when applying for a loan or new card.
Set Up a Fraud Alert
A fraud alert tells creditors to take extra steps to verify identity before opening new accounts. This is a lighter-touch option compared to a full credit freeze. Because the exposed data included Social Security numbers, a fraud alert adds a useful layer of protection.
Individuals only need to contact one of the three credit bureaus to set up a fraud alert. That bureau is required to notify the other two. As a result, this option is often faster and simpler to arrange than a credit freeze.
Request an IRS Identity Protection PIN
Because Social Security numbers were exposed, affected individuals should consider requesting an Identity Protection PIN from the IRS. This six-digit number helps prevent someone else from filing a fraudulent tax return using a stolen Social Security number. Tax-related identity theft can be difficult to detect until a return is rejected or a refund is delayed.
Setting up this PIN is a proactive step that closes off one of the most common forms of fraud following a breach like this one. Since the IRS PIN changes annually, individuals should also plan to renew it each tax season for continued protection.
Monitor Financial Accounts and Credit Reports
Given that payment card numbers and financial account numbers were exposed, affected individuals should monitor their financial accounts closely. Any suspicious activity should be reported to the bank or card issuer right away. In some cases, it may be worth requesting new account numbers or replacement cards.
In addition, everyone is entitled to one free credit report every 12 months from each of the three major credit bureaus under federal law. Reviewing these reports regularly can help individuals spot accounts or inquiries they did not authorize. This is especially important during the months immediately following a breach notification.
Watch for Phishing Attempts
After a data breach becomes public, scammers often send emails, texts or phone calls that reference the breach by name. These messages are designed to trick people into sharing even more personal information. Therefore, affected individuals should treat any unexpected communication with caution.
Anyone contacted by someone claiming to represent Parexel, Oracle or IDX should verify the request independently before responding. If personal information is misused, individuals can file a complaint with the Federal Trade Commission at identitytheft.gov. Consulting a data breach attorney for a free case evaluation can also help affected individuals understand their legal options.
More Information
Official State Attorney General Notification
Official Data Breach Notification Letter (PDF)
Official State Attorney General Notification
