More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack

Posted by Steve Alder

Munson Healthcare, the largest health system in Northern Michigan, has recently notified patients about unauthorized access to its electronic medical record system. The unauthorized access started as early as January 22, 2025, and was detected by its EHR vendor Cerner on February 20, 2025. Cerner, now Oracle Health, confirmed that a hacker gained access to two legacy Cerner servers and potentially stole a range of personal and health information. Munson Healthcare has confirmed that the stolen data included names, Social Security numbers, and information typically found in electronic medical records, such as medical record numbers, diagnoses, medications, test results, care and treatment information, and doctors’ names. The data on the servers was awaiting migration to the Oracle Cloud at the time of the data breach.

Munson Healthcare said Cerner took action to prevent further unauthorized access, engaged third-party cybersecurity experts to investigate the data breach, and notified law enforcement about the cyberattack. While Oracle Health publicly confirmed the cyberattack in March 2025, it has taken months for the affected healthcare providers to be notified, and many patients have only recently learned that their personal and health information was stolen in the incident. Munson Healthcare attributed the delay in issuing notifications to Cerner, which has previously stated that the delay was at the request of law enforcement so as not to interfere with the investigation.

Oracle Health has not confirmed exactly how many of its healthcare provider clients have been affected, nor the number of affected individuals. Multiple class action lawsuits have been filed in response to the data breach, and as part of the litigation, the company’s attorneys said up to 80 hospitals may have been affected. Munson Healthcare was one of the worst-affected clients, as 1,01,891 current and former patients have been affected. Munson Healthcare has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

Munson Healthcare’s Chief Legal Officer, Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the data breach last week. Attorney General Nessel is pushing for stronger consumer data protection laws to be enacted. New legislation was passed by the Senate last summer, but has yet to be passed by the House of Representatives. “These [notification] delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors,” said AG Nessel. “I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”

The post More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack appeared first on The HIPAA Journal.

HHS-OIG Report Highlights Key HHS Cybersecurity Challenges

Posted by Steve Alder

The U.S. Department of Health and Human Services Office of Inspector General has published its annual report on the Top Management and Performance Challenges Facing HHS to help the department improve the effectiveness and efficiency of its programs. The report highlights some of the cybersecurity challenges faced by HHS, including a lack of standardized governance and controls, which complicates HHS’s preparedness efforts to prevent and respond to cybersecurity threats.

The HHS is a large department with disparate organizational approaches to cybersecurity across its various divisions and programs. While the department has taken steps to consolidate cybersecurity functions and improve cybersecurity, HHS-OIG says overall progress is often still dependent on each division and program. In addition, the HHS has an army of contractors, grantees, and other external entities that number in the thousands. Cybersecurity solutions must be implemented within the HHS, but also by each contractor, grantee, and external entity. That makes cybersecurity improvements especially challenging, and the ability of the HHS to mitigate cybersecurity threats is often dependent on those entities implementing cybersecurity solutions specific to their operations. “Protecting technology and data requires broader efforts beyond implementing technical fixes, such as establishing clear expectations; modernizing program rules; and conducting effective oversight of the Department’s contractors, grantees, and other external entities,” HHS-OIG said.

The healthcare sector remains a key target for cyber actors. Ransomware attacks continue in volume, as financially motivated threat actors encrypt and steal data to use as leverage to obtain ransom payments. Cyberattacks are growing in sophistication and are continually evolving, and the HHS must be able to respond quickly, alert the sector about vulnerabilities under exploitation, and help prepare the sector for evolving threats.

The HHS plays a key role in improving cybersecurity across the sector and responding to threats, yet the diffuse nature of HHS cybersecurity authorities and responsibilities is complicating HHS’s response efforts. The HHS has limited resources for improving cybersecurity across the healthcare and public health sector, such as the sector’s reliance on legacy technology and workforce challenges. Further, privacy and security are governed by HIPAA, which is more than two decades old. HHS-OIG warned that the HIPAA Privacy Rule and the HIPAA Security Rule may not be sufficient to address contemporary privacy concerns and the increasing cybersecurity risks to electronic protected health information. As such, HHS-OIG said the HHS must adapt as privacy and security needs evolve.

Further regulation could help in this regard; however, the HHS has been slow to enact updates to the HIPAA Rules. A Privacy Rule update was proposed by HHS under the previous Trump administration in late 2020, yet a final rule has still not been published more than five years after the update was first proposed. The update is still on the HHS’s agenda, but there has been no indication when a final rule will be published. An extensive update to modernize the HIPAA Security Rule to strengthen cybersecurity across the sector was proposed in the final days of the Biden administration. While there is an urgent need to improve cybersecurity across the sector, it is currently unclear if the HHS, under the Trump administration, plans on implementing the proposed rule.

HHS-OIG said the HHS has taken action to address the challenges it highlights in the report, but there are considerable opportunities for further progress, and until the HIPAA Rules are updated, HHS must continue to work within the statutory authorities established by HIPAA in 1996, the HIPAA Privacy Rule in 2000, and the HIPAA Security Rule in 2003.

The post HHS-OIG Report Highlights Key HHS Cybersecurity Challenges appeared first on The HIPAA Journal.