2 min read

TMH patient data exposed in vendor cyberattack

TMH patient data exposed in vendor cyberattack

In January 2025, a data breach linked to a former vendor of Tallahassee Memorial HealthCare (TMH) potentially exposed sensitive patient information.

What happened

The breach involved Cerner, an electronic health record company that TMH no longer uses. Cerner confirmed that a cybersecurity event involving unauthorized access occurred on or around January 22, 2025. On March 13, 2025, TMH was contacted by an unknown party claiming to possess patient data, which the hospital verified as legitimate. 

The compromised information included names, Social Security numbers, and details from medical records such as diagnoses, medications, test results, images, and treatment history. TMH immediately launched an investigation with cybersecurity experts and informed law enforcement. The incident stemmed from data migration services previously performed by Cerner. 

Cerner later stated in its notice of June 17, 2025, that it became aware of the breach in late February and had since taken remediation steps. TMH notified affected patients in a letter dated June 13, 2025, and emphasized that its current electronic health record system was unaffected. Both TMH and Cerner are now offering impacted individuals two years of free identity protection services, including credit monitoring.

 

The backstory

Oracle acquired Cerner, a major electronic health record (EHR) vendor, in a $28.3 billion deal finalized in June 2022. In January 2025, a hacker reportedly used stolen credentials to access legacy Cerner servers that had not yet been migrated to Oracle’s modern cloud infrastructure. The breach was identified by Oracle on February 20, 2025, and the impacted data appears to include names, Social Security numbers, test results, and other protected health information (PHI). Oracle did not notify individual patients directly, instead placing responsibility for HIPAA breach notifications on healthcare providers like TMH. 

Meanwhile, the hacker, allegedly using the alias “Andrew,” began extorting Oracle Health’s clients by threatening to release stolen medical data unless paid in cryptocurrency. TMH confirmed on March 13, 2025, that an unknown party had contacted them claiming to possess stolen patient data. This was later verified and linked to data migration services provided by Cerner. Oracle’s handling of the breach has drawn criticism for its delayed response, limited transparency, and the use of legacy systems that remained vulnerable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a security alert due to risks associated with legacy Oracle systems and stolen credentials.

 

What was said 

A news story by WXTL Tallahassee provided the following statement from TMH, “TMH was recently notified by Cerner, which is now part of Oracle Health (“Oracle/Cerner”), an electronic health records (EHR) vendor previously used at TMH, that it had experienced a cybersecurity event involving unauthorized access to data hosted in Oracle/Cerner’s data migration environment — including certain TMH patient information. We have indications that TMH is one of many healthcare organizations nationwide impacted by this incident.”

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQs

What is a cybersecurity incident?

A cybersecurity incident is any unauthorized attempt to access, steal, damage, or disrupt an organization’s computer systems, networks, or data. Common examples include data breaches, ransomware attacks, phishing attempts, and system intrusions.

 

Why wasn't the breach disclosed immediately?

Cerner said law enforcement requested a delay in disclosure to avoid interfering with the ongoing investigation.

 

Can ransomware be involved in vendor-related breaches?

Yes. While the TMH–Cerner breach was not explicitly confirmed as ransomware, vendor-related breaches often involve ransomware attacks or system intrusions where data is exfiltrated.