Three health systems reported that patient information may have been involved in a data security incident tied to Cerner, the EHR vendor now known as Oracle Health.
Lake Regional Health System (Osage Beach, Mo.), OSF Saint Clare Medical Center (Princeton, Ill.) and Aultman Health System (Canton, Ohio) each disclosed that an unauthorized third party gained access to data stored on legacy Cerner systems earlier this year. The incidents did not involve the health systems’ internal IT systems or disrupt clinical operations, the organizations said in notices posted on their websites.
Cerner determined that the unauthorized access occurred as early as Jan. 22, 2025, on legacy systems it previously operated for clients, according to the notices from OSF Saint Clare and Aultman.
Lake Regional said it was notified by Cerner in late October that some patient information may have been affected. Cerner discovered the incident in late February and launched an investigation with outside cybersecurity specialists and law enforcement, according to Lake Regional’s notice.
Law enforcement officials requested that Cerner and affected health systems delay notifying patients during the investigation. That restriction has since been lifted, allowing health systems to begin notifying potentially affected individuals.
The types of data potentially involved vary by organization but may include names, dates of birth, Social Security numbers, medical record numbers, and clinical information such as diagnoses, medications, test results and images, according to the notices. None of the health systems reported evidence that patient information had been misused at the time of disclosure.
OSF Saint Clare said Cerner informed the organization on Sept. 29 that an unauthorized third party had accessed legacy systems and obtained certain data. Cerner later provided a list of potentially affected patients on Nov. 3, according to the notice. OSF Saint Clare said it no longer uses Cerner’s services and that its own systems and operations were not affected.
Aultman Health System — which includes Aultman Hospital, Aultman Alliance Community Hospital and Aultman Orrville Hospital — said the incident occurred at Cerner and did not involve its internal systems. Affected individuals are being notified and offered two years of identity protection and credit monitoring services through Experian.
Lake Regional said its internal systems were not compromised and that no disruption to care occurred. The health system said patients whose information may have been affected will receive individual notification letters and be offered identity protection and credit monitoring services.
Cerner, which was acquired by Oracle in 2022 and now operates as Oracle Health, previously told customers it had secured the impacted systems, engaged external cybersecurity experts and notified law enforcement, according to the health systems’ notices.
The disclosures add to a growing list of health systems reporting impacts tied to the Cerner incident. In December, Becker’s reported that the hack on Oracle Health may have affected as many as 80 hospitals.