Oracle Health Cerner breach reaches Atrium Health after 16 months

Atrium Health Navicent has become the latest health system to notify patients of the January 2025 Oracle Health breach, completing its data review in March 2026 after learning it was affected only recently.

What happened

Atrium Health Navicent in Macon, Georgia, has begun notifying patients that their protected health information may have been exposed in a January 2025 breach of legacy Cerner systems operated by Oracle Health. According to Becker's Hospital Review, Oracle Health detected the breach in February 2025 after an unauthorized actor accessed certain legacy Cerner servers, with investigators determining access began as early as January 22, 2025. Atrium Health Navicent said it only recently learned from Oracle Health that it was affected, and completed its own data review on March 12, 2026. The breach affects patients who received care at Atrium Health facilities in the greater Charlotte area before August 6, 2022, or at Atrium Health Navicent before July 3, 2021. Compromised data includes names, addresses, dates of birth, medical record numbers, provider names, diagnoses, medications, test results, and images. Social Security numbers were also compromised for certain individuals.

Going deeper

The Atrium Health Navicent notification adds to a growing list of health systems affected by the Oracle Health Cerner breach. According to Becker's Hospital Review, at least 13 health systems had confirmed their involvement as of early 2026, including AdventHealth, OSF HealthCare, Methodist Le Bonheur Healthcare, ChristianaCare, LifeBridge Health, and Baptist Health South Florida. The data affected by the breach was stored in legacy Cerner systems that Atrium Health Navicent no longer uses as a primary EHR, but which still held historical patient records from before the organization's transition away from the platform. Oracle Health reportedly asked healthcare organizations to delay notification while its investigation was ongoing, contributing to the extended timeline between the January 2025 breach and notifications now arriving in 2026. A federal class action complaint filed in May 2026 accuses Oracle Health of failing to adequately protect patient data and of delaying timely notification, according to court filings cited by local news source, 13WMAZ.

What was said

In its official breach notice, Atrium Health Navicent stated, "Cerner, now part of Oracle Health, is a third-party electronic health record vendor used by many healthcare providers nationwide. While we no longer utilize Cerner as a primary EHR provider, certain sites within our system historically used Cerner systems." The notice added that "Cerner reported that it is not aware of any evidence to suggest there has been identity theft or fraud related to Atrium Health patient data" and confirmed that Cerner has implemented enhanced technical protections and increased monitoring as remedial steps.

In the know

Oracle Health's Cerner breach is one of the largest EHR vendor incidents on record by number of affected health systems. The breach exploited legacy infrastructure that was in the process of being migrated to Oracle Health's newer systems, a transition period that researchers have consistently identified as a window of elevated vulnerability for healthcare organizations. According to Becker's Hospital Review, the number of affected health systems continued to grow through the first half of 2026 as reviews concluded and notifications were issued, with each affected organization operating on its own timeline, dependent on when Oracle Health notified them and how long their own file review took.

The big picture

The Oracle Health Cerner breach demonstrates how a single vendor incident in the EHR sector produces cascading disclosure obligations across dozens of covered entities simultaneously, each on a different notification timeline and each managing its own regulatory exposure. Patients whose records were stored on legacy Cerner servers had no way of knowing which of their former providers used that infrastructure, meaning many received notification letters from health systems they may not have interacted with in years. The breach also shows the specific risk of data held in legacy migration queues: records that are no longer in active use but have not yet been fully transitioned or decommissioned remain exposed to the same threat vectors as live systems, without always receiving the same security attention. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure accounted for 28% of all email-related healthcare breaches in 2025. The Oracle Health case extends that pattern to the EHR layer, where a single compromised vendor holds historical records from dozens of health systems that have long since moved to other platforms.

FAQs

Why are patients receiving notifications now for a breach that happened in January 2025?

Oracle Health reportedly asked affected health systems to delay notification while its investigation was ongoing. Each health system then conducted its own data review to identify which patients were affected, a process that takes months when large volumes of historical records are involved. The 16-month gap reflects both Oracle Health's investigation timeline and each organization's subsequent review.

Why does the breach affect patients whose care predates the organization's use of Cerner?

Legacy EHR systems often hold years of historical patient records even after an organization transitions to a new platform. Atrium Health Navicent's Cerner systems still contained records from patients seen before July 2021, meaning those records remained on Oracle Health's infrastructure and were within the scope of the breach despite the organization no longer actively using Cerner.

What is the significance of Oracle Health asking health systems to delay notification?

HIPAA's Breach Notification Rule places the 60-day notification clock on covered entities from the point of discovery. When a business associate such as Oracle Health asks a covered entity to delay, the covered entity must weigh its own legal obligations against the vendor's request. If the delay pushed notifications beyond 60 days from when the covered entity learned of the breach, those organizations face potential HIPAA compliance exposure.

How many health systems have been affected by the Oracle Health Cerner breach?

At least 13 health systems had confirmed their involvement as of early 2026, with additional organizations continuing to issue notifications as their data reviews conclude. The final count is likely to be higher as organizations that learned of their involvement later in 2026 complete their reviews.

What should patients do if they receive a notification letter from Atrium Health or another affected health system?

Oracle Health has established a dedicated call center at 833-918-8326 for affected individuals. Atrium Health Navicent is offering two years of complimentary credit monitoring through Experian, which patients can enroll in by following the instructions in their notification letter or by calling the dedicated line with the engagement number B163718.