North Kansas City (Mo.) Hospital is notifying patients that a cybersecurity breach at EHR vendor Cerner, now known as Oracle Health, exposed some of the hospital’s data.
The hospital said it learned that an unauthorized third party accessed information stored on Cerner’s systems as early as Jan. 22. In a Nov. 25 news release, North Kansas City Hospital emphasized that its own systems were not breached.
Oracle Health determined that the intruder obtained personal data maintained on its platform, according to the hospital. The information may have included patients’ names, dates of birth and Oracle Health patient identifiers.
The company also reported that elements of medical records — including medical record numbers, providers, diagnoses, medications, test results, images and treatment details — could have been involved, though it has not confirmed whether those data points were accessed for any specific individual. Oracle Health said it does not believe Social Security numbers for North Kansas City Hospital’s patients were affected.
Oracle Health told the hospital that federal law enforcement directed a delay in notifying patients and other affected hospital clients to avoid hindering an active investigation.
North Kansas City Hospital said it began seeking details from Oracle Health immediately after learning of the incident. Oracle Health initiated its critical incident response, secured affected systems, launched an investigation and engaged external cybersecurity specialists, according to the news release. The company also notified federal law enforcement.
Several health systems and hospitals have reported being affected by the breach at Oracle Health, including Terre Haute, Ind.-based Union Health; Tallahassee (Fla.) Memorial Healthcare; St. Joseph, Mo.-based Mosaic Life Care; Glens Falls (N.Y.) Hospital; and Baltimore-based LifeBridge Health.
