Lawsuit filed against nonprofit hospital after Cerner hack exposes thousands
A class action lawsuit has been filed against Ohio-based Aultman Health System after a data breach exposed thousands of records on patients and employees to hackers. The incident happened as early as January 2025, though patients were notified in December 2025 about the incident.
The complaint, filed by an attorney in Minneapolis on behalf of Jack Oliver, the primary plaintiff from Philadelphia, is looking for all victims of the breach to join should they want to.
The lawsuit accuses Aultman of failing to safeguard sensitive patient data, including medical records. In an announcement, the nonprofit health system confirmed the breach. It said compromised data included “names, Social Security numbers, and information included within patient medical records, such as medical record numbers, doctors, diagnoses, medicines, test results, images, care and treatment.”
The health system, however, was not the target of the cyberattack. Instead, its EHR vendor, Oracle Cerner, was the primary victim, which impacted systems nationwide. Aultman is ultimately required to notify its patients if they were swept up in the hack.
It confirmed that Aultman Hospital, Aultman Alliance Community Hospital, and Aultman Orrville Hospital records were all accessed by the nefarious parties, as they use the Oracle Cerner service for operations and patient care.
As for why the incident, said to have happened as early as January 22, 2025, did not result in notification for nearly a year, Aultman said that decision was out of their hands.
“The vendor later informed us that law enforcement investigators directed a delay in notifying patients, as well as hospital customers, about this incident because it could have impeded their investigation,” it wrote.
Aultman did add that as soon as Oracle Cerner learned of the breach, the company took steps to secure all systems and notify its hospital customers of the potential data theft. The EHR vendor is offering the customary identity theft protection services, as required by federal law.
Lawsuit targets nonprofit
Still, it’s ultimately Aultman who is named as the primary defendant in this lawsuit. Plaintiffs name the delayed response as a reason for their complaint.
“The data breach was the direct and proximate result of [the] defendant's failure to implement and maintain reasonable cybersecurity policies, procedures, and technical safeguards,” the lawsuit reads.
The class action litigation is seeking damages for all plaintiffs.
Aultman has 1,032 beds across its facilities and has over 7,000 people on staff, including 1,000 providers.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.