Fallout from 2025 Cerner breach continues: Alabama hospital faces class action lawsuit
A hospital that had its data stolen by hackers as a result of the 2025 breach on Cerner’s legacy EHR system is facing a class action lawsuit, led by a patient who thinks the facility failed to protect sensitive information about him and others.
Named as a defendant in the lawsuit filed Wednesday by Billy Parker is Huntsville Hospital Health System, that in June finally notified patients about the Cerner incident, which occurred in January 2025.
Cerner, an electronic medical record system vendor, has since changed its name to Oracle Health. The scope of the breach of its network is still being investigated, but it is known to have impacted at least 80 hospitals, compromising records on millions of patients.
After breaking into the Cerner system, the unauthorized third party was able to take records directly from hospitals, health systems and providers that used the service—including the Huntsville Hospital system, which used it to keep records on patient care encounters.
Data exposed included names, contacts, Social Security numbers, details on treatment, diagnoses, provider names, insurance information and more.
In its notice, Huntsville said it became aware that its data was compromised in August 2025, roughly seven months after cybercriminals had already been inside the Cerner technology, where data on patients at Huntsville was accessed shortly after.
Central to the complaint is the timing of the notice. Despite apparently becoming aware of the data breach in August 2025, it wasn’t until June 17, 2026 that Huntsville publicly notified patients about the incident.
Parker said that’s when he learned that his data had been compromised. He accuses the health system of failing to notify patients in a timely manner, as required under the Health Insurance Portability and Accountability Act (HIPAA).
He also accuses the hospital network of failing to do its due diligence to ensure data was safe by entrusting Cerner with personal records on patients.
Officially, Huntsville Health is being accused of four civil violations in Parker’s court filing: negligence, invasion of privacy, breach of implied contract and unjust enrichment.
Tens of thousands of potential claimants
Lawyers representing Parker have asked a court to grant their lawsuit class action status, so that all victims of the data breach can seek justice.
As for how many there are—that is currently unknown, as official numbers have yet to be reported to the federal government’s healthcare data breach tracker. And as mentioned above, the scope of the data breach is still being investigated.
However, Parker’s attorneys say it's likely tens of thousands of patients who were victimized by the cyberattack, all of whom can join the class if the lawsuit is upgraded.
Parker, et al. are seeking damages and a court order forcing Huntsville Health to upgrade its cybersecurity to thwart future intrusions into its network.
Committed to cybersecurity?
In a statement sent to multiple media outlets, Huntsville Hospital clarified that the breach did not occur because any IT security at its hospitals failed. Instead, unauthorized third party access was only made possible because of the breach on Cerner.
“Huntsville Hospital Health System is committed to protecting the confidentiality and security of its patients’ information,” a spokesperson said. “The security incident in question occurred on Cerner’s systems. It did not involve access to any system maintained by Huntsville Hospital Health System, nor was it caused by a failure of Huntsville Hospital Health System.”
The health system is based in Alabama, centered around a single large hospital that employs 20,000 employees, 2,000 nurses and 650 physicians.
A nonprofit entity, Huntsville Hospital is a full-service patient care network that partners with a number of smaller facilities in the region. It isn’t clear if any of those other hospitals had their patient data compromised.
This is a developing story.
