A class action lawsuit has been proposed against Huntsville Hospital Health System in response to the 2025 Oracle Health/Cerner data breach. The suit claims that the organization did not sufficiently protect patients' sensitive information.

 

What happened

According to Health Exec, a patient has filed a proposed class action lawsuit against Huntsville Hospital Health System, alleging the organization failed to adequately protect sensitive patient information that was exposed during the 2025 cyberattack on Cerner's legacy electronic health record (EHR) systems. The lawsuit marks one of the first major legal actions against a healthcare provider stemming from the Oracle Health/Cerner breach, even though the hospital maintains the incident occurred entirely within Cerner's systems.

 

The backstory

On July 1st, Huntsville Hospital released a statement addressing a data breach involving Cerner, the electronic health record (EHR) vendor now owned by Oracle Health. According to the notice, Oracle Health informed the health system on August 12, 2025, that an unauthorized third party had gained access to legacy Cerner systems beginning as early as January 22, 2025, and exfiltrated patient information stored on those systems. The hospital said the incident did not involve its own network or systems, but rather infrastructure maintained by Cerner.

The compromised information varied by individual but may have included names, Social Security numbers, dates of birth, driver's license numbers, medical record numbers, treating physicians, diagnoses, medications, laboratory results, and other clinical information. Huntsville Hospital said there was no evidence that its internal systems were accessed during the attack.

The health system explained that patient notifications were delayed at the request of federal law enforcement so as not to interfere with the ongoing criminal investigation. Once the restriction was lifted, the hospital began notifying affected individuals, offering complimentary credit monitoring and identity protection services, and encouraging patients to monitor their financial accounts and credit reports for suspicious activity.

 

Going deeper

The complaint alleges that the health system failed to implement reasonable safeguards to protect patients' personally identifiable information (PII) and protected health information (PHI). According to court filings, the plaintiff claims patients have been exposed to an increased risk of identity theft and fraud as a result of the incident.

The lawsuit follows months after Oracle Health disclosed that attackers had gained access to legacy Cerner systems and exfiltrated patient data belonging to multiple healthcare organizations across the United States. The compromised information reportedly included names, Social Security numbers, dates of birth, driver's license numbers, medication information, and diagnostic details.

 

What was said

In response to the lawsuit, Huntsville Hospital Health System said the breach did not originate from its own infrastructure. According to Health Exec, a hospital spokesperson stated that “the security incident in question occurred on Cerner's systems. It did not involve access to any system maintained by Huntsville Hospital Health System, nor was it caused by a failure of Huntsville Hospital Health System.”

The health system added that it had only recently been notified of the lawsuit and is reviewing the complaint.

 

Why it matters

Although the cyberattack occurred on Oracle Health's legacy Cerner infrastructure rather than on Huntsville Hospital's own systems, the lawsuit argues that healthcare providers still have a duty to ensure vendors entrusted with patient data maintain appropriate security protections.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQS

Who is responsible for protecting patient data stored by third-party vendors?

Under HIPAA, both covered entities and business associates have responsibilities for PHI. Business associates must implement appropriate safeguards, while covered entities must conduct due diligence, execute a business associate agreement (BAA), and ensure vendors are capable of securing PHI.

 

Can healthcare organizations be liable for a vendor's data breach?

Yes. Although a cyberattack may occur on a third-party vendor's systems, healthcare organizations can still face lawsuits and regulatory scrutiny if plaintiffs argue they failed to exercise reasonable care when selecting, overseeing, or contracting with vendors that handle patient data.