On January 21, 2026, Jupiter Medical Center (JMC) in Jupiter, Florida, issued an alert to patients about a data breach affecting Cerner Corporation, a company that provides electronic health records to hospitals and other healthcare organizations.
According to a statement posted on JMC’s website, the incident did not involve JMC’s own information systems but did potentially impact a limited number of JMC patients because their data was stored on legacy Cerner systems. Cerner Corporation determined through an investigation that, as early as January 22, 2025, an unauthorized third party had gained access to protected health information (PHI). The company initially delayed notifying patients and hospital customers at the direction of law enforcement, as alerting individuals too early could have compromised the investigation.
The investigation into the breach was completed on or around November 30, 2025. Jupiter Medical Center explained that the personal information potentially affected included names, Social Security numbers, medical record numbers, doctors, diagnoses, medications, test results, medical images, and details regarding care and treatment. The hospital emphasized that the breach originated with Cerner Corporation’s systems, not their own, and the notification is being issued out of an abundance of caution
According to the JMC notification, “Cerner Corporation has determined through an investigation that, at least as early as January 22, 2025, an unauthorized third party gained access to PHI on legacy Cerner Corporation systems. Cerner Corporation informed us that law enforcement investigators directed a delay in notifying patients, as well as its hospital customers, about this incident because it could have impeded their investigation.”
Although JMC’s own systems were not compromised, sensitive data stored on Cerner Corporation’s legacy systems may have been accessed by an unauthorized party. This isn’t an isolated problem: an Applied Clinical Informatics study found that “More than half (56%) reported a breach involving a third party accessing their network in the last 12 months… Third parties present unique access management challenges … creating risks because they may have more access than needed operationally, and often have access points into many healthcare delivery organizations.”
In other words, even if a hospital’s systems are secure, the vendors they rely on can create weak points that leave patient information exposed. For JMC patients, this means that while the hospital itself remained protected, their PHI could still have been compromised.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
HIPAA requires affected individuals, the U.S. Department of Health and Human Services, and sometimes the media to be notified following a breach.
HIPAA generally requires notification without unreasonable delay and no later than 60 days after discovery of the breach.
Accidental disclosures may not be considered breaches if they meet specific exceptions outlined in HIPAA.