Breach Reports Continue to Emerge

Following revelations of a hacking incident earlier this year that compromised legacy patient data from Cerner electronic health record (EHR) servers, which were slated for migration to Oracle’s cloud environment, reports of data breaches linked to this event continue to emerge at a slow pace. To date, findings indicate that at least 410,000 individuals have been impacted, although many reports omit precise numbers, suggesting the actual figure may be significantly higher.

Among the latest institutions disclosing breaches associated with the Cerner hack is Missouri-based Heartland Regional Medical Center, operating as Mosaic Life Care. On June 27, Mosaic informed the U.S. Department of Health and Human Services (HHS) that nearly 145,300 patients were affected by the incident. Similarly, Tallahassee Memorial Hospital in Florida has reportedly begun notifying an undisclosed number of patients about potential compromises to their health information.

These data breach alerts come amidst ongoing assessments by affected organizations. Notably, Cerner submitted its own report to HHS, indicating an estimated impact on 501 individuals—this figure often serves as a preliminary estimate while organizations finalize their victim counts. Cerner’s breach reports have also reached attorneys general across several states, including California, South Carolina, and Texas, disclosing varied numbers of individuals affected.

The Cerner data breach represents one of at least two major hacking incidents involving Oracle this year. This event raises critical questions about the challenges that businesses, especially healthcare providers, face when determining the extent of a data breach after a cyberattack. Experts note that understanding and reporting the full impact of such incidents can require significant time and effort.

Amidst the aftermath of the breach, organizations including Mosaic and Union Health have reported that they were alerted to their compromised status only after being contacted by cybercriminals. Mosaic Life Care reported being informed by an unidentified party claiming possession of patient information, which led to a verification process involving Oracle Health/Cerner to confirm the breach’s origin.

As organizations deal with the consequences of the Cerner hack, they must also contend with the legal ramifications; Oracle is now facing consolidated proposed federal class-action litigation encompassing around 20 individual lawsuits tied to this incident. Healthcare providers are urged to establish communication with their vendors to clarify any involvement of sensitive patient data in the breach, re-evaluating business associate agreements and ensuring timely notifications to affected individuals.

In conclusion, as the number of impacted patients continues to rise, the Cerner hacking incident serves as a stark reminder of the persistent cybersecurity risks facing the healthcare sector. Business owners should remain vigilant, actively engaging with their vendors to fortify their defenses against such threats moving forward.