The Missouri-based healthcare provider found that their legacy record vendor, Cerner, was recently breached.
North Kansas City Hospital (NKC Health) posted a notice to its website on November 25th, 2025, regarding a data breach.
According to the notice, Cerner, now known as Oracle Health, was storing electronic medical records while awaiting migration to Oracle Cloud Infrastructure. Cerner is known as a legacy system, as it is now owned by Oracle. The notice stated that an unauthorized third party gained access and obtained data from Cerner, beginning as early as January 22nd, 2025.
Informed involved included names, dates of birth, and Cerner patient identifier. Additionally, data accessed may have included medical records, doctors, diagnoses, medicines, images, and care and treatment. The breach has not yet been posted on the Department of Health and Human Services (HHS) website, so the number of impacted victims is currently unknown.
NKC Health noted that Cerner informed them that law enforcement investigators “directed a delay in notifying patients, as well as additional hospital customers, about this incident because it could have impeded their investigation.”
While Cerner did not say definitively, the company did say they do “not believe that Social Security Numbers relating to NKC Health’s patients are involved in this incident.”
The data breach at NKC Health is likely part of a larger incident at Oracle that occurred at the same time, as Oracle worked to transfer Cerner servers to the Oracle Cloud. The Cerner servers were accessed via stolen credentials, and the incident was identified on February 20th, 2025. Despite Oracle announcing the breach earlier this year, some organizations, like NKC Health, are continuing to come forward as they receive more information.
A legacy server is an outdated system that is still in use, likely because of delays in switching to new software. In some cases, like this one, it’s hard to avoid using the legacy server, but these servers present more vulnerabilities. The software may not be regularly updated, vulnerabilities may not be patched, and cybersecurity teams may not be actively monitoring it. Legacy data systems can easily be infiltrated, and the same concept can apply to email systems. According to Matt Murren, CEO of True North ITG, “HIPAA compliance is non-negotiable. Legacy email systems often lack features like end-to-end encryption, audit logging, or robust access controls–putting both patient data and institutional reputations at risk.” Whenever an organization believes its system may be outdated, it should quickly make a plan to update the system or transfer.
Why hasn’t the breach been reported to the HHS yet?
There are several reasons the breach may not yet be available on the HHS breach portal. The investigation may still be ongoing, and NKC Health may not yet know final numbers. Furthermore, the HHS may still be catching up on posting data breach notifications after its pause due to the government shutdown. Regardless of the reason, the breach will likely be reported and available within the coming months.
NKC Health said they are looking to Cerner to provide more information as it becomes available. Once more information is available, NKC Health will likely report the breach, and victims may determine if they plan to pursue a lawsuit.