Integrated health system known as Union Health System, based in Terre Haute, Indiana, manages two hospitals and a medical group, which were impacted by a security breach that occurred at Oracle Health and Cerner. Oracle Health sent notification letters to healthcare providers regarding a security breach that affected outdated Cerner servers, which were not moved to Oracle Cloud. A hacker accessed and acquired information hosted in the data migration + of Oracle Health/Cerner, and then attempted to extort the impacted organizations.
Oracle Health has given minimal details concerning the incident and states its HIPAA-certified entity clients should find out whether a breach warrants notices as per the HIPAA Breach Notification Law. Union Health mentioned it got confirmation that Oracle Health/Cerner suffered a data breach on March 15, 2024. Oracle Health revealed that it discovered a cybersecurity breach on February 20, 2025, which was confirmed by its forensic investigation. The unauthorized initial access of the third party happened on or following January 22, 2025. On March 22, 2025, Union Health got a listing of the impacted persons from Oracle Health/Cerner.
The breached information included names, birth dates, Social Security numbers, driver’s license numbers, treating doctors’ names, medication details, dates of service, medical insurance details, and diagnostic and treatment data. Union Health recently reported the breach to the HHS’ Office for Civil Rights, stating that 262,831 individuals were affected.
Union Health did not know about the data breach when Oracle Health/Cerner confirmed it in March. An unidentified party contacted Union Health, saying it possessed patient records. Union Health validated the claims on February 24, 2025, and determined the data was most likely acquired from Oracle Health/Cerner. Union Health contacted Oracle Health concerning the breach. Union Health sent breach notification letters that mentioned the breach happened at Oracle Health/Cerner, but did not affect Union Health systems. Union Health stated it is providing free credit monitoring services to impacted persons.
Union Health and Oracle Health/Cerner are facing a lawsuit because of the data breach. Plaintiff Shannon Smith filed the Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. lawsuit in the U.S. District Court for the Western District of Missouri. The plaintiff’s legal counsel is John F. Garvey of Stranch, Jennings & Garvey, PLLC.
The lawsuit states that the defendants’ lack of security procedures is a HIPAA violation, which enabled cybercriminals to acquire access to sensitive protected health information (PHI) and personally identifiable information (PII), and that the failure led to negligence. The lawsuit mentions eight causes of action – breach of implied contract, negligence, negligence per se, privacy violation, breach of confidence, declaratory judgment, unjust enrichment, and breach of fiduciary duty.
The lawsuit additionally raises the issue of the delay in sending notification letters. Because notification letters were sent after 89 days of the breach occurrence, the impacted individuals were deprived of the option to attempt to offset their risks promptly. The lawsuit states the data breach put the plaintiff at a significant risk of facing identity theft. The lawsuit would like a jury trial, exemplary, injunctive relief, compensatory, statutory and punitive damages, attorneys’ fees, and legal expenditures.
Oracle has already confirmed two security incidents in 2025, including this incident. The other incident involved a hacker getting usernames, encrypted passwords, and passkeys of some Oracle clients. However, Oracle claimed that the Oracle Cloud was not accessed, and there was no access or theft of OCI customer data. Oracle stated that a hacker acquired access to two outdated servers, and the passwords obtained were not usable because they were encrypted or hashed.
