Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack
Union Health System, a Terre Haute, Indiana-based integrated health system that operates two hospitals and a medical group, has been affected by a security incident at Oracle Health/Cerner. Oracle Health recently notified healthcare providers about a security incident involving legacy Cerner servers, which had yet to be migrated to Oracle Cloud. Oracle acquired Cerner in 2022. A hacker was able to access and obtain data hosted in the Oracle Health/Cerner data migration environment, and then tried to extort the affected companies.
Oracle Health has released little information about the incident and maintains it is the responsibility of its HIPAA-covered entity clients to determine if there has been a breach that warrants notifications under the HIPAA Breach Notification Rule. Union Health said it received confirmation of the data breach from Oracle Health/Cerner on March 15, 2024. Oracle Health explained that it detected a cybersecurity incident on February 20, 2025, and its forensic investigation confirmed that the unauthorized third party’s initial access occurred on or after January 22, 2025. Union Health received a list of the affected individuals from Oracle Health/Cerner on March 22, 2025.
The compromised data included names plus Social Security numbers, dates of birth, driver’s license numbers, treating physicians’ names, dates of service, medication information, health insurance information, and diagnostic and treatment information. The breach was recently reported to the HHS’ Office for Civil Rights by Union Health as affecting 262,831 individuals.
While the data breach was confirmed by Oracle Health/Cerner in March, that was not the first time that Union Health was made aware of the data breach. An “unknown party” contacted Union Health claiming to be in possession of patient data. Union Health verified the individual’s claims on February 24, 2025, and identified the information as likely having been obtained from Oracle Health/Cerner. Union Health then proactively reached out to Oracle Health about the incident for confirmation, which was obtained on March 15, 2025. Union Health made it clear in the notification letters that the breach occurred at Oracle Health/Cerner and no Union Health systems were accessed. Union Health said it is offering the affected individuals complimentary credit monitoring services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A lawsuit has already been filed against Union Health and Oracle Health/Cerner over the data breach. The lawsuit, Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. – was filed in the U.S. District Court for the Western District of Missouri by plaintiff Shannon Smith, who is represented by John F. Garvey of Stranch, Jennings & Garvey, PLLC.
The lawsuit claims that the defendants’ inadequate security practices violated HIPAA and allowed cybercriminals to gain access to sensitive personally identifiable information (PII) and protected health information (PHI), and that the failure amounts to negligence. The lawsuit cites eight causes of action – negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment.
The lawsuit also takes issue with the time taken to issue notification letters, which were not sent until 89 days after the breach occurred, keeping the affected individuals in the dark and depriving them of the opportunity to try to mitigate their injuries in a timely manner. The lawsuit claims the data breach has placed the plaintiff and class members at a present, continuing, and significant risk of suffering identity theft. The lawsuit seeks a jury trial, compensatory, exemplary, punitive, and statutory damages, injunctive relief, attorneys’ fees, and legal costs and expenses.
This is one of two security incidents to be confirmed by Oracle in 2025. In a separate incident, a hacker obtained usernames, passkeys, and encrypted passwords of an undisclosed number of Oracle customers. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach. No OCI customer environment has been penetrated,” explained Oracle. “No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.” Oracle confirmed that a hacker gained access to two obsolete servers but did not obtain any usable passwords, as the passwords were either encrypted or hashed.
