Munson Healthcare Patients Affected by Cerner Legacy Server Breach, Attorneys Respond

Munson Healthcare, the largest health system based in Traverse City, notified patients on or around January 26, 2026 that personal and medical information tied to legacy Cerner electronic health record servers may have been accessed by an unauthorized party during a cyber intrusion first detected on or around January 22, 2025. Munson chief marketing and communications officer Megan Brown said Cerner recently informed Munson and some Munson patients about the incident and that the health system is offering free credit monitoring through Experian to impacted patients.

Cerner, now Oracle Health, confirmed a hacker gained access to two legacy servers, and public statements linked the compromise to a broad range of data fields. Michigan Attorney General Dana Nessel’s office, in a reissued consumer alert, said the incident compromised patient names, Social Security numbers, medical record numbers, doctors, diagnoses, medicines, test results, images, and care and treatment information. The breach has been tied to a larger incident that reportedly has affected dozens of hospitals nationwide.

Numbers differ on how many Munson patients were affected. Munson’s spokeswoman Megan Brown provided a nut-shell figure of 120,000 patients impacted. Separately, Schubert Jonckheer & Kolbe LLP said in a press advisory that 101,891 Munson patients had sensitive information accessed and is investigating potential legal claims on behalf of affected people. The firm warned that victims “may be at risk of identity theft and other serious violations of your privacy” and said they “may be entitled to money damages and an injunction requiring changes to Munson Healthcare's cybersecurity practices.”

Timing and notification are central legal questions. Megan Brown stated, “Cerner was made aware of the breach in January 2025 and immediately secured its systems. Law enforcement instructed Cerner to wait to notify customers and patients while they completed their investigation.” Multiple legal and regulatory observers have noted the roughly one-year gap between the January 2025 breach discovery and notifications sent in late January 2026, raising potential state and federal compliance issues.

Local officials and the state attorney general are pressing for stronger disclosure rules. Nessel’s office said she is reissuing a consumer alert on data breaches and is “advocating for legislation that would enhance protections against data breaches and identity theft,” including requirements for prompt disclosure to the attorney general’s office. The AG’s release noted a bill package passed the Michigan Senate last year and is currently awaiting consideration in the Michigan House.

Munson’s immediate remedy for notified patients is Experian credit monitoring; details on enrollment period and scope were not included in Munson’s public statement. Schubert Jonckheer & Kolbe LLP’s advisory instructs affected individuals to contact the firm for information about legal rights and possible damages. Patients who received notification should review the notification letter, enroll in the offered Experian monitoring, and consider contacting the law firm or the Michigan Attorney General’s office for guidance on next steps.