Parexel Data Breach Exposes SSNs and Other Personal Info

Parexel International LLC, one of the world's largest clinical research organizations, disclosed a data breach that exposed sensitive personal information tied to employment records. The breach occurred on Oct. 4, 2025, and was caused by a security flaw in Oracle's cloud infrastructure.

The total number of people affected in the United States has not yet been determined.

Parexel discovered the breach on Nov. 20, 2025, and began notifying affected individuals by written letter on Dec. 17, 2025, according to filings with multiple state regulators.

What led to the breach?

According to the company's notification letter to consumers, Parexel detected suspicious activity on Oct. 4, 2025, affecting a portion of its Oracle OCI E-Business Suite ("Oracle EBS") environment. This system was hosted by Oracle on its cloud infrastructure.

The investigation confirmed that the breach stemmed from a zero-day exploit, a previously unknown security flaw, in Oracle's cloud infrastructure. Oracle announced the vulnerability on Oct. 5, 2025, one day after Parexel first noticed the suspicious activity.

Parexel stated that the breach was limited to Oracle's environment. The company said there was no evidence of any compromise of its own internal network or systems.

The files that were accessed without authorization may have contained names, dates of birth, financial account numbers, payment card numbers (without CVV codes), Social Security numbers and national ID numbers, according to the notification letter.

Parexel stated that this information had been provided to the company in connection with employment. This means the breach affected current or former employees rather than patients in clinical trials.

State-level regulatory filings show the breach affected 5,259 Massachusetts residents, 1,203 Texas residents, 158 Maine residents and 36 Montana residents. The breach was also reported to attorneys general in California and Vermont.

The company began sending written notification letters to affected individuals on Dec. 17, 2025.

How Parexel responded

In response to the breach, Parexel disconnected Oracle EBS from its network. The company applied the security patch as soon as Oracle made it available.

Parexel said it is continuing to follow the guidance of Oracle and its cybersecurity partners to ensure ongoing security of the Oracle environment.

Parexel is offering affected individuals 24 months of complimentary identity protection services through IDX. The membership includes credit monitoring and identity theft resolution services.

Parexel also set up a dedicated support team that is available from 9 a.m. to 9 p.m. ET, Monday through Friday, excluding major U.S. holidays.

Steps to take if personal information was exposed

Place a credit freeze. A credit freeze prevents anyone from opening new accounts or borrowing money using stolen personal information. It is free to place, temporarily lift or permanently remove a freeze.

To set one up, individuals must contact each of the three major credit bureaus:

• Equifax: 1-888-298-0045 or https://www.equifax.com/personal/credit-report-services/
• Experian: 1-888-397-3742 or https://www.experian.com/help/
• TransUnion: 1-800-916-8800 or https://www.transunion.com/credit-help

Keep in mind that a credit freeze will also prevent the individual from getting instant credit, a new credit card or a loan until the freeze is lifted.

Set up a fraud alert. A fraud alert tells creditors to take extra steps to verify identity before opening new accounts. Individuals only need to contact one of the three credit bureaus listed above. That bureau will notify the other two.

Request an IRS Identity Protection PIN. An Identity Protection PIN from the IRS. This six-digit number helps prevent someone else from filing a fraudulent tax return using a stolen Social Security number.

Monitor financial accounts closely. Any suspicious activity should be reported to the bank or card issuer immediately. Individuals may also want to request new account numbers or replacement cards from their financial institutions.

Check credit reports regularly. Under federal law, everyone is entitled to one free credit report every 12 months from each of the three major credit bureaus. Reviewing these reports can help individuals spot accounts or inquiries they did not authorize.

Watch for phishing attempts. After a data breach, scammers sometimes send emails, texts or phone calls that reference the breach by name to trick people into sharing more personal information. Individuals should be cautious of any unexpected messages claiming to be from Parexel, Oracle or IDX.

File a complaint if needed. Anyone who discovers that their information has been misused can file a complaint with the Federal Trade Commission at www.identitytheft.gov or by calling 1-877-438-4338. Individuals can also contact their state attorney general for additional guidance.