In January, hackers gained access to a cache of Cerner electronic health records stored on a legacy network.
But some patients whose sensitive health and financial information may have been exposed are only now being notified — and many others still haven’t been told.
NKC Health, formerly North Kansas City Hospital, is one of the most recent hospitals to let patients know about a cyber incident involving Cerner, now Oracle Health. The Nov. 25 notice said the hospital had only “recently learned” of the incident, which has been unraveling for months and reportedly dates back to January.
About a dozen hospitals across the country, including Mosaic Life Care in St. Joseph, Missouri, have sent similar notices to patients. Oracle has not publicly disclosed the number of hospitals involved or how many patients may have been affected.
But Elena A. Belov, a lawyer representing victims of the data breach in a federal class action lawsuit filed in the Western District of Missouri, said she has been told by Oracle’s attorneys that 80 hospitals’ patient records may have been involved. And that could amount to millions of victims.
“This is one of the most massive breaches in the health care industry in the last couple of years,” said Belov, who practices with the Almeida Law Group. “We still don’t know the entire universe. The list of affected hospitals has not been made public.”
Oracle Health, which acquired North Kansas City-based Cerner for $28 billion in 2022, did not reply to re
TPRM report: https://www.rankiteo.com/company/oracle-health
"id": "ora1764943612",
"linkid": "oracle-health",
"type": "Breach",
"date": "01/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': None,
'industry': 'Healthcare',
'location': 'North Kansas City, Missouri, '
'USA',
'name': 'NKC Health (formerly North '
'Kansas City Hospital)',
'size': None,
'type': 'Hospital'},
{'customers_affected': None,
'industry': 'Healthcare',
'location': 'St. Joseph, Missouri, USA',
'name': 'Mosaic Life Care',
'size': None,
'type': 'Hospital'},
{'customers_affected': 'Millions '
'(estimated)',
'industry': 'Healthcare Technology',
'location': 'North Kansas City, Missouri, '
'USA',
'name': 'Oracle Health (formerly Cerner)',
'size': 'Large',
'type': 'Health IT Provider'}],
'customer_advisories': 'Patient notifications sent (delayed)',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': 'Millions '
'(estimated)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Electronic health '
'records, financial '
'information'},
'date_detected': '2024-01',
'date_publicly_disclosed': '2024-11-25',
'description': 'Hackers gained access to a cache of Cerner '
'electronic health records stored on a legacy '
'network, exposing sensitive health and financial '
'information of patients. Notifications to '
'affected patients are ongoing, with many still '
'uninformed. The incident reportedly dates back '
'to January and involves multiple hospitals '
'across the country.',
'impact': {'brand_reputation_impact': 'High',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Sensitive health and financial '
'information',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': 'Federal class action lawsuit',
'operational_impact': None,
'payment_information_risk': 'High',
'revenue_loss': None,
'systems_affected': 'Cerner electronic health '
'records'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Legacy network '
'vulnerability'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'News Article',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': 'Federal class action '
'lawsuit (Western '
'District of '
'Missouri)',
'regulations_violated': 'HIPAA '
'(assumed)',
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Delayed patient '
'notifications',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Cerner Electronic Health Records Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Legacy network'}