Cybersecurity News
Cybersecurity13 May 2025 3m hipaajournal.com

Data Breach at Union Health: 263,000 Individuals Impacted

A significant data breach at Union Health System, linked to Oracle Health/Cerner, has impacted nearly 263,000 individuals, prompting legal action over potential negligence.
Data Breach at Union Health: 263,000 Individuals Impacted

Key Takeaways

  • 1.> "The notification letters were not sent until 89 days after the breach occurred, which kept individuals unaware of potential risks to their data," The lawsuit argues this delay has placed affected individuals at significant risk for identity theft.
  • 2."We received confirmation of a data breach from Oracle Health/Cerner on March 15, 2024," said a spokesperson for Union Health.
  • 3."The breach has affected 262,831 individuals, and we've made it clear that this incident occurred at Oracle Health/Cerner, meaning no Union Health systems were compromised," added the spokesperson.

Union Health System, based in Terre Haute, Indiana, is grappling with a data breach affecting approximately 263,000 individuals, linked to a security incident at Oracle Health/Cerner. This crisis follows a notification from Oracle Health about unauthorized access to sensitive data hosted on legacy Cerner servers, which had yet to transition to Oracle Cloud following the acquisition of Cerner in 2022.

"We received confirmation of a data breach from Oracle Health/Cerner on March 15, 2024," said a spokesperson for Union Health. This notification came after Oracle identified a cybersecurity incident that had first occurred in January 2025. An investigation revealed that unauthorized access had happened on or after January 22, raising concerns about the extent of the breach.

"We received confirmation of a data breach from Oracle Health/Cerner on March 15, 2024,"

Person using laptop with holographic cybersecurity shield and digital interface elements
Person using laptop with holographic cybersecurity shield and digital interface elements

By the Numbers

The leaked information includes sensitive data, such as names, Social Security numbers, dates of birth, and a wealth of medical details. "The breach has affected 262,831 individuals, and we've made it clear that this incident occurred at Oracle Health/Cerner, meaning no Union Health systems were compromised," added the spokesperson. To assist those affected, Union Health is offering complimentary credit monitoring services.

"The breach has affected 262,831 individuals, and we've made it clear that this incident occurred at Oracle Health/Cerner, meaning no Union Health systems were compromised,"

By the Numbers

By the Numbers

Data center server room with multiple monitors displaying code and red LED lighting
Data center server room with multiple monitors displaying code and red LED lighting

By the Numbers

The timeline of events is notable. Union Health was initially alerted to potential data exposure by an unnamed individual who claimed to possess patient records. "After verifying the claims on February 24, 2025, we proactively reached out to Oracle for confirmation," explained the spokesperson. On March 22, Union Health received a detailed list of affected individuals from Oracle Health/Cerner, leading to further action.

"After verifying the claims on February 24, 2025, we proactively reached out to Oracle for confirmation,"

Legal challenges have already emerged following the breach. A lawsuit has been filed against Union Health and Oracle Health/Cerner by plaintiff Shannon Smith. The case is currently underway in the U.S. District Court for the Western District of Missouri, where Smith, represented by attorney John F. Garvey of Stranch, Jennings & Garvey, PLLC, accuses the defendants of negligence and inadequate security practices. "The breach has exposed sensitive personally identifiable information (PII) and protected health information (PHI), violating HIPAA standards," Smith's complaint claims.

"The breach has exposed sensitive personally identifiable information (PII) and protected health information (PHI), violating HIPAA standards,"

The lawsuit brings forth multiple grievances against Oracle and Union Health, including negligence, breach of implied contract, and invasion of privacy. One crucial point of contention is the delay in notifying affected individuals. "The notification letters were not sent until 89 days after the breach occurred, which kept individuals unaware of potential risks to their data," noted Garvey.

"The notification letters were not sent until 89 days after the breach occurred, which kept individuals unaware of potential risks to their data,"

The lawsuit argues this delay has placed affected individuals at significant risk for identity theft. It seeks various forms of damages and requests a jury trial to adjudicate the claims made against Union Health and Oracle Health/Cerner.

In an interesting development, Oracle experienced another security incident earlier in 2025, unrelated to the Union Health breach. According to the company, a hacker gained access to usernames, passkeys, and encrypted passwords of some Oracle customers, but they emphasized, "the Oracle Cloud has not experienced a security breach; no customer data has been viewed or stolen."

Impact and Legacy

This latest breach at Union Health underscores the vulnerabilities present in the healthcare sector, raising questions about the security of sensitive patient data in a rapidly evolving digital landscape. With lawsuits pending and trust at stake, the impact of these incidents will likely unfold over the coming months, as affected individuals and healthcare providers assess their next steps in seeking accountability and resolution.

data-breachhealthcareHIPAAcybersecurity incidentpersonal data